Environment Configuration
We rely heavily on environment variables so that the correct log files are streamed to your observability dashboards. Ensure that you set theJF_PRODUCT_DATA_INTERNAL
environment variable to the correct path for your product.
The environment variableJF_PRODUCT_DATA_INTERNAL
must be defined to the correct location.
Helm-based installs will already have this defined based on the underlying Docker images.
For non-k8s-based installations, below is a reference to the Docker image locations per product. Note these locations may be different based on the chosen installation location.
Product | Command |
---|---|
Artifactory | export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/artifactory/ |
Xray | export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray/ |
Nginx | export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/nginx/ |
Mission Control | 出口JF_PRODUCT_DATA_INTERNAL = / var / opt / jfrog / mc / |
Distribution | export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/distribution/ |
Pipelines | export JF_PRODUCT_DATA_INTERNAL=/opt/jfrog/pipelines/var/ |
Fluentd Installation
OS/Virtual Machine
Ensure that you have access to the Internet from the VM. Recommended install is through fluentd's native OS-based package installs:
OS | Package Manager | Link |
---|---|---|
CentOS/RHEL | Linux - RPM (YUM) | https://docs.fluentd.org/installation/install-by-rpm |
Debian/Ubuntu | Linux - APT | https://docs.fluentd.org/installation/install-by-deb |
MacOS/Darwin | MacOS - DMG | https://docs.fluentd.org/installation/install-by-dmg |
Windows | Windows - MSI | https://docs.fluentd.org/installation/install-by-msi |
Gem Install** | MacOS & Linux - Gem | https://docs.fluentd.org/installation/install-by-gem |
**For Gem-based install, Ruby Interpreter has to be set up first. Following is the recommended process to install Ruby:
Install Ruby Version Manager (RVM) as described inhttps://rvm.io/rvm/install#installation-explained. Ensure to follow all the onscreen instructions provided to complete the RVM installation.
- For installation across users, a SUDO-based install is recommended. The installation is as described inhttps://rvm.io/support/troubleshooting#sudo.
Once RVM installation is complete, execute the commandrvm -v
to verify the installation executing.
Now install ruby v2.7.0 or above executing the command
rvm install
, ex:rvm install 2.7.5.
Verify the ruby installation. Execute
ruby -v
, gem installationgem -v
andbundler -v
to ensure all the components are intact.Post completion of Ruby, Gems installation, the environment is ready to further install new gems. Execute the following gem install commands one after the other to set up the needed ecosystem:
gem install fluentd
After FluentD is successfully installed, the below plugins are must be installed:
'gem install fluent-plugin-newrelic' 'gem install fluent-plugin-jfrog-siem' 'gem install fluent-plugin-jfrog-metrics' 'gem install fluent-plugin-jfrog-send-metrics'
Configurefluent.conf.*
according to the instructions mentioned in theFluentd Configuration for New Relicsection and then run the fluentd wrapper with one argument pointed to thefluent.conf.*
file configured.
./fluentd $JF_PRODUCT_DATA_INTERNAL/fluent.conf.
Docker
To run fluentd as a Docker image to send the log, siem and metrics data to New Relic, the following commands must be executed on the host that runs the Docker.
Check the Docker installation is functional. Execute the commands
docker version
anddocker ps
.Once the version and processes are listed successfully, build the intended Docker image for the observability platform using the Docker file.
- Download Dockerfile fromhereto any directory that has write permissions.
Download the
Dockerenvfile_
file needed to run Jfrog/FluentD Docker Images for the intended observability platform..txt - Download
Dockerenvfile_newrelic.txt
fromhereto the directory where the Docker file was downloaded.
- Download
For New Relic as the observability platform, execute these commands to setup the docker container running the fluentd installation:
- 执行的docker build --build-arg SOURCE="JFRT" --build-arg TARGET="NEWRELIC" -t
.'
Command example:
'docker build --build-arg SOURCE="JFRT" --build-arg TARGET="NEWRELIC" -t jfrog/fluentd-newrelic-rt
.'
The above command will build the docker image. - Fill the necessary information in the
Dockerenvfile_newrelic.txt
file, if the value for any of the field requires to have a '/' use '\/' and if '\' is required use '\\'. - 执行的
docker run -it --name jfrog-fluentd-newrelic-rt -v
':/var/opt/jfrog/artifactory --env-file Dockerenvfile_newrelic.txt
Theshould be an absolute path where the Jfrog Artifactory Logs folder resides, i.e for an Docker-based Artifactory Installation. Example: /var/opt/jfrog/artifactory/var/logs
on the Docker host.
Command example:
'docker run -it --name jfrog-fluentd-newrelic-rt -v /var/opt/jfrog/artifactory/var:/var/opt/jfrog/artifactory--env-file Dockerenvfile_newrelic.txt jfrog/fluentd-newrelic-rt
'
Kubernetes Deployment with Helm
Recommended installation for Kubernetes is to utilize the helm chart with the associated values.yaml in this repo.
Product | Example Values File |
---|---|
Artifactory | helm/artifactory-values.yaml |
Artifactory HA | helm/artifactory-ha-values.yaml |
Xray | helm/xray-values.yaml |
Update the values.yaml associated to the product you want to deploy with your New Relic settings.
Then deploy the helm chart as described below:
Add JFrog Helm repository:
helm repo add jfrog https://charts.jfrog.io helm repo update
Replace placeholders with yourmasterKey
andjoinKey
. To generate each of them, use the commandopenssl rand -hex 32
Artifactory:
- Replace the
newrelic_licensekey
innewrelic.licensekey
at the end of the yaml file with License key copied from New Relic inNew Relic Setup - Replace
jpd_url
injfrog.observability.metrics.jpd_url
with Artifactory JPD URL (note - if deployed on K8s use the localhost and port number combination per sidecar) - Replace
jfrog_user
injfrog.observability.metrics.username
with Artifactory username for authentication - Replace
jfrog_api_key
injfrog.observability.metrics.apikey
withArtifactory API Key - Replace
jfrog_access_token
injfrog.observability.metrics.accesstoken
withArtifactory Scoped Token Replace
common_jpd_value
injfrog.observability.metrics.common_jpd
与真实non-kubernetes装置或者本月allations where JPD base URL is same to access both Artifactory and Xray (ex:https://sample_base_url/artifactoryorhttps://sample_base_url/xray). Default value is falsehelm upgrade --install artifactory jfrog/artifactory \ --set artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \ --set artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE \ -f helm/artifactory-values.yaml
Artifactory-HA
For HA installation, create a license secret on your cluster prior to installation:
通用artifactory-license kubectl创建秘密--from-file=artifactory.cluster.license
Replace placeholders with yourmasterKey
andjoinKey
. To generate each of them, use the commandopenssl rand -hex 32
- Replace the
newrelic_licensekey
innewrelic.licensekey
at the end of the yaml file with License key copied from New Relic inNew Relic Setup - Replace
jpd_url
injfrog.observability.metrics.jpd_url
with Artifactory JPD URL (note - if deployed on K8s use the localhost and port number combination per sidecar) - Replace
jfrog_user
injfrog.observability.metrics.username
with Artifactory username for authentication - Replace
jfrog_api_key
injfrog.observability.metrics.apikey
withArtifactory API Key - Replace
jfrog_access_token
injfrog.observability.metrics.accesstoken
withArtifactory Scoped Token Replace
common_jpd_value
injfrog.observability.metrics.common_jpd
与真实non-kubernetes装置或者本月allations where JPD base URL is same to access both Artifactory and Xray (ex:https://sample_base_url/artifactoryorhttps://sample_base_url/xray). Default value is falsehelm upgrade --install artifactory-ha jfrog/artifactory-ha \ --set artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \ --set artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE \ -f helm/artifactory-ha-values.yaml
Xray
Update the following fields in/helm/xray-values.yaml
:
- Replace the
newrelic_licensekey
innewrelic.licensekey
at the end of the yaml file with License key copied from New Relic inNew Relic Setup - Replace
jpd_url
injfrog.observability.jpd_url
with Artifactory JPD URL (note - if deployed on K8s use the localhost and port number combination per sidecar) - Replace
jfrog_user
injfrog.observability.username
with Artifactory username for authentication - Replace
jfrog_api_key
injfrog.observability.apikey
withArtifactory API Key Use the same
joinKey
as you used in Artifactory installation to allow Xray node to successfully connect to Artifactory.helm upgrade --install xray jfrog/xray --set xray.jfrogUrl=http://my-artifactory-nginx-url \ --set xray.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \ --set xray.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE \ -f helm/xray-values.yaml
Fluentd Configuration for New Relic
Download and configure the relevant fluentd.conf files for New Relic
Configuration Steps for Artifactory
Download the artifactory fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in theEnvironment Configurationsection.
cd $JF_PRODUCT_DATA_INTERNAL wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.rt
Logs data
Override the match directive (jfrog.**) of the downloadedfluent.conf.rt
to send logs data to New Relic:
@type newrelic license_key LICENSE_KEY logtype "jfrog_artifactory_logs"
Required:LICENSE_KEY
is the License Key from New Relic inNew Relic Setup.
OpenMetrics data
Override the source directive of the downloadedfluent.conf.rt
in order to source metrics from Artifactory:
Required:
JPD_URL
is the Artifactory JPD URL of the formathttp://
ADMIN_USERNAME
is the Artifactory username for authenticationJFROG_API_KEY
is theArtifactory API Keyfor authenticationJFROG_ACCESS_TOKEN
is theArtifactory Scoped TokenCOMMON_JPD
is true for non-kubernetes installations or installations where JPD base URL is same to access both Artifactory and Xray (ex:https://sample_base_url/artifactoryorhttps://sample_base_url/xray). Default value is false
Override the match directive of the downloadedfluent.conf.rt
in order to send metrics to New Relic:
@type jfrog_send_metrics target_platform "NEWRELIC" apikey LICENSE_KEY url "https://metric-api.newrelic.com/metric/v1"
Required:
LICENSE_KEY
is the License Key from New Relic inNew Relic SetupURL
replace if in EU region withhttps://metric-api.eu.newrelic.com/metric/v1
. Default value ishttps://metric-api.newrelic.com/metric/v1
Configuration Steps for Xray
Download the Xray fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in theEnvironment Configurationsection.
cd $JF_PRODUCT_DATA_INTERNAL wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.xray
Logs and Violation data
Override the source directive of the downloadedfluent.conf.xray
to pull Xray Violations:
Required:
JPD_URL
is the Artifactory JPD URL of the formathttp://
with is used to pull Xray ViolationsADMIN_USERNAME
is the Artifactory username for authenticationJFROG_API_KEY
is theArtifactory API Keyfor authentication
Optional: If not specified, value is set to current date. Setting from_date value will result in violations from the specified date
Override the match directive of the downloadedfluent.conf.xray
to send Logs and Violations to New Relic:
@type newrelic license_key LICENSE_KEY logtype "jfrog_artifactory_logs"
Required:LICENSE_KEY
is the License Key from New Relic inNew Relic Setup.
OpenMetrics data
Override the source directive of the downloadedfluent.conf.xray
in order to source metrics from Xray:
Required:
JPD_URL
is the Artifactory JPD URL of the formathttp://
with is used to pull Xray ViolationsADMIN_USERNAME
is the Artifactory username for authenticationJFROG_API_KEY
is theArtifactory API Keyfor authentication
Override the match directive of the downloadedfluent.conf.rt
in order to send metrics to New Relic:
@type jfrog_send_metrics target_platform "NEWRELIC" apikey LICENSE_KEY url "https://metric-api.newrelic.com/metric/v1"
Required:
LICENSE_KEY
is the License Key from New Relic inNew Relic SetupURL
replace if in EU region withhttps://metric-api.eu.newrelic.com/metric/v1
. Default value ishttps://metric-api.newrelic.com/metric/v1
Configuration Steps for Nginx
Download the Nginx fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in theEnvironment Configurationsection.
cd $JF_PRODUCT_DATA_INTERNAL wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.nginx
覆盖匹配指令(最后一节n) of the downloadedfluent.conf.nginx
with the details given below:
@type newrelic license_key LICENSE_KEY logtype "jfrog_nginx_logs"
Required:LICENSE_KEY
is the License Key from New Relic inNew Relic Setup
Configuration Steps for Mission Control
Download the Mission Control fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in theEnvironment Configurationsection.
cd $JF_PRODUCT_DATA_INTERNAL wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.missioncontrol
覆盖匹配指令(最后一节n) of the downloadedfluent.conf.missioncontrol
with the details given below:
@type newrelic license_key LICENSE_KEY logtype "jfrog_missioncontrol_logs"
Required:LICENSE_KEY
is the License Key from New Relic inNew Relic Setup.
Configuration Steps for Distribution
Download the distribution fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in theEnvironment Configurationsection.
cd $JF_PRODUCT_DATA_INTERNAL wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.distribution
覆盖匹配指令(最后一节n) of the downloadedfluent.conf.distribution
with the details given below:
@type newrelic license_key LICENSE_KEY logtype "jfrog_distribution_logs"
Required:LICENSE_KEY
is the License Key from New Relic inNew Relic Setup.
Configuration Steps for Pipelines
Download the pipelines fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in theEnvironment Configurationsection.
cd $JF_PRODUCT_DATA_INTERNAL wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.pipelines
覆盖匹配指令(最后一节n) of the downloadedfluent.conf.pipelines
with the details given below:
@type newrelic license_key LICENSE_KEY logtype "jfrog_pipelines_logs"
Required:LICENSE_KEY
is the License Key from New Relic inNew Relic Setup.
Dashboards
Artifactory dashboard
JFrog Artifactory Dashboard is divided into three sections: Application, Audit, Requests and Docker.
- Application- This section tracks Log Volume (information about different log sources) and Artifactory Errors over time (bursts of application errors that may otherwise go undetected).
- Audit- This section tracks audit logs that help you determine who is accessing your Artifactory instance and from where. These can help you track potentially malicious requests or processes (such as CI jobs) using expired credentials.
- Requests- This section tracks HTTP response codes, top 10 IP addresses for uploads and downloads.
- Docker- To monitor Dockerhub pull requests users should have a Dockerhub account, either paid or free. Free accounts allow up to 200 pull requests per 6-hour window. Various widgets have been added in the new Docker tab under Artifactory to help monitor your Dockerhub pull requests. An alert is also available to enable, if desired, that will allow you to send emails or add outbound webhooks through configuration to be notified when you exceed the configurable threshold.
- Metrics- To gain insights into the system performance, storage consumption, and connection statistics associated with JFrog Artifactory
Xray dashboard
JFrog Xray Dashboard is divided into three sections: Logs, Violations and Metrics
- Logs- This dashboard provides a summary of access, service and traffic log volumes associated with Xray. Additionally, customers are also able to track various HTTP response codes, HTTP 500 errors, and log errors for greater operational insight.
- Violations- This dashboard provides an aggregated summary of all the license violations and security vulnerabilities found by Xray. Information is segment by watch policies and rules. Trending information is provided on the type and severity of violations over time, as well as, insights on most frequently occurring CVEs, top impacted artifacts and components.
- Metrics- To gain insights into the system performance, storage consumption, connection statistics, count and type of artifacts and components scanned by JFrog Xray.
Demo Requirements
- Kubernetes Cluster
- Artifactory and/or Xray installed viaJFrog Helm Charts
- Helm 3
- New Relic account setup with license key
Generating Data for Testing
Partner Integration Test Frameworkcan be used to generate data for metrics.
References
- Fluentd- Fluentd Logging Aggregator/Agent
- New Relic- New Relic Platform
- New Relic Fluentd plugin- Fluentd output plugin for sending data to New Relic
- JFrog SIEM plugin- Fleuntd input plugin to source JFrog Xray Violations