Configuring a remote Federate connector
|
The Connector APIs have been deprecated and are scheduled for removal in the next major release. |
Siren Federate provides the capability to query data from a Federate cluster. through the remote clusters module, and the Siren Federate connector APIs .
Compatibility with security systems
To execute joins spanning several Federate clusters, set the following cluster- and index-level permissions on the clusters:
-
cluster:internal/federate/* -
indices:data/read/mget -
indices:data/read/msearch -
indices:data/read/mtv -
indices:data/read/open_point_in_time -
indices:data/read/close_point_in_time -
indices:data/read* -
indices:admin/template/get -
indices:admin/aliases/get -
indices:admin/aliases/exists -
indices:admin/get -
indices:admin/exists -
indices:admin/mappings/fields/get* -
indices:admin/mappings/get* -
indices:admin/mappings/federate/connector/get* -
indices:admin/mappings/federate/connector/fields/get* -
indices:admin/types/exists -
indices:admin/validate/query -
indices:monitor/settings/get
The remote Federate connector is compatible with the following security systems:
Before you begin
-
Ensure that the remote clusters are configured as described in the Configuring remote clusters section of the Elasticsearch documentation.
-
Install the Siren Federate plugin on the remote clusters.
-
Set up the remote Federate clusters. For example, use the following settings:
curl -X PUT http://localhost:9200/_cluster/settings -H 'Content-type: application/json' -d ' { "persistent": { "cluster": { "remote": { "remotefederate": { "seeds": [ "127.0.0.1:9330" ] } } } } } '
Procedure
In this procedure, we are using the example of a remote Federate cluster called remotefederate, which contains indices called logs-2019.01, logs-2019.02, …, logs-2019.12, and so on.
-
Define the datasource as an alias to the remote Federate cluster, by using the Siren Federate datasource API as follows:
curl -X PUT http://localhost:9200/_siren/connector/datasource/remotefederateds -H 'Content-type: application/json' -d ' { "federate": { "alias": "remotefederate" } } ' -
Define a virtual index on the coordinator cluster that matches the wildcard index pattern
logs-*, by using the Siren Federate virtual index API as follows:curl -X PUT http://localhost:9200/_siren/connector/index/logsvi -H 'Content-type: application/json' -d ' { "datasource": "remotefederateds", "resource": "logs-*", "key": "_id" } ' -
Execute a join query. For example, the coordinator cluster contains an index called
machines, which contains information about IP addresses on machines of interest. To find out about the logs that are associated to these machines, execute the following Federate join query:curl -X GET http://localhost:9200/siren/logsvi/_search -H 'Content-Type: application/json' -d ' { "query": { "join": { "indices": [ "machines" ], "on": [ "logs_ip_hash", "machines_ip_hash" ], "request": { "query": { "match_all": { } } } } } } 'logs_ip_hashis the IP field in the indexlogsviandmachines_ip_hashis the IP field in the indexmachines.The API returns the following response:
{ "took": 150, "timed_out": false, "hits": { "total" : { "value": 1, "relation": "eq" }, "max_score": 1, "hits": [ { "_index": "logs-2019-11-12", "_id": "0", "_score": 2, "_source": { "date": "2019-11-12T12:12:12", "message": "trying out Siren" } } ] } }