Elasticsearch

Configuration of audit providers is performed via modification of the application.conf file:

b2audit {
    elasticsearch {
        host: "localhost"
        port: 9200
        scheme: "http"
    }
}

The above is an example configuration for a localhost elastic instance audit client.

Note

These are default values and do not need to be overridden in the application.conf unless connecting to a foreign host.

Elasticsearch index definition/configuration is performed using JSON files. The inbuild REST request audit service uses a file called es-resourcerequests.json to define mappings:

{
    "mappings": {
        "@@INDEX_TYPE@@": {
            "_all": { "enabled": false },
            "properties": {
                "class": {
                    "type": "text",
                    "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                },
                "duration": { "type": "integer" },
                "status": { "type": "integer" },
                "email": {
                    "type": "text",
                    "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                },
                "httpMethod": {
                    "type": "text",
                    "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                },
                "method": {
                    "type": "text",
                    "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                },
                "package": {
                    "type": "text",
                    "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                },
                "path": {
                    "type": "text",
                    "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                },
                "timestamp": {
                    "type": "date",
                    "format": "YYYY-MM-dd HH:mm:ss.SSSZ"
                },
                "queryParams": {
                    "type": "nested",
                    "properties": {
                        "name": {
                            "type": "text",
                            "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                        },
                        "values": {
                            "type": "text",
                            "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                        }
                    }
                },
                "pathParams": {
                    "type": "nested",
                    "properties": {
                        "name": {
                            "type": "text",
                            "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                        },
                        "values": {
                            "type": "text",
                            "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }
                        }
                    }
                }
            }
        }
    }
}

To override this file, simply place a modified copy in $B2BOX_DATA/conf.

Index names

The index names generated by Platform 6 have a strict format:

b2-<user index name>--<b2box application id>

For example:

b2-resourcerequests--simont-test or b2-myindex--simont-test

Kibana can then be used to view and search the index data generated:

Kibana View 1

Specifying audit trail structure via JSON

A named Elasticsearch index will be created using a JSON definition file when the following Groovy method is called: audit.open(id).

If the index already exists, index updates are not performed. The current definition is left unchanged.

The JSON file searched for has the pattern: es-<id>.json. The file should be placed on the classpath in $B2BOX_DATA/conf.

The following is an example index mapping file:

{
    "mappings": {
        "myindex": {
            "_all": { "enabled": false },
            "properties": {
                "timestamp": {
                    "type": "date",
                    "format": "YYYY-MM-dd HH:mm:ss.SSSZ"
                },
                "company": {
                    "type": "text",
                    "fields": {"keyword": { "type": "keyword", "ignore_above": 256 } }
                },
                "amount": { "type": "float" },
                "taxes": {
                    "type": "nested",
                    "properties": {
                        "salestax": { "type": "float" },
                        "taxrate": { "type": "float" }
                    }
                }
            }
        }
    }
}

Note

The Platform 6 audit trail client auto generates a timestamp value. So it is advisable to add a mapping definition.

This is an example Groovy script which created the define structure using the file es-myindex.json:

def success = audit.open("myindex")
println success

Writing to an audit trail

Writing (posting) to an audit trail is simple in Groovy:

def auditValues = [:]
auditValues["company"] = "Amalto"
auditValues["amount"] = 101.12

audit.post "myindex", auditValues

Note

Once an audit trail table has been created there is no need to use the open method again… unless you need to validate it’s existence.

Writing to a nested RECORD is more tricky:

def auditValues = [:]

def taxValues = []

def taxValue1 = [:]
taxValue1["salestax"] = 12.35
taxValue1["taxrate"] = 10
taxValues.push(taxValue1)

def taxValue2 = [:]
taxValue2["salestax"] = 123.45
taxValue2["taxrate"] = 100
taxValues.push(taxValue2)

auditValues["taxes"] = taxValues
auditValues["company"] = 'Amalto'
auditValues["amount"] = 123.45
audit.post 'myindex', auditValues

Using Kibana you will see the audit data written:

Kibana View 2