Marvel consists of two components: a Marvel agent that you install on on each node in your cluster, and a Marvel application you install in Kibana. The Marvel agent collects and indexes metrics from Elasticsearch and you visualize the data through the Marvel dashboards in Kibana. The agent can index data on the same cluster, or send it to an external monitoring cluster.
To use Marvel with Shield enabled, you need to set up Kibana to work with Shield and create at least one user for the Marvel app. If you are using an external monitoring cluster, you also need to configure a user for the Marvel agent and configure the agent to use the appropriate credentials when communicating with the monitoring cluster.
Setting Up Marvel App Usersedit
When Shield is enabled, Kibana users are prompted to log in when they access the UI. To use the Marvel app, a user must have access to the Kibana indices and permission to read from the Marvel indices.
You set up Marvel app users on the cluster where the monitoring data is being stored. To grant
all of the necessary privileges, assign the user the
marvel_user role and the appropriate
role you derived from the example
my_kibana_user user role
If you’re using the default
filerealm, you can assign roles when you add a user, or modify the role assignments with the
rolescommand. For example, the following command creates a user named
jacknichand assigns the
esusers useradd jacknich -r my_kibana_user,marvel_user -p password
If you are using an LDAP or Active Directory realm, you can either assign roles on a per user basis, or assign roles to groups of users. By default, role mappings are configured in
config/shield/role_mapping.yml. For example, the following snippet assigns the user named Jack Nicholson to the
my_kibana_user: - "cn=Jack Nicholson,dc=example,dc=com" marvel_user: - "cn=Jack Nicholson,dc=example,dc=com"
marvel_user role is defined in the default
For more information about deriving Kibana user roles, see Using Kibana with Shield.
Configuring Marvel Agent to Communicate with a Shield-Enabled Monitoring Clusteredit
To configure the Marvel agent to communicate with a secured monitoring cluster:
Configure a user on the monitoring cluster who has the
remote_marvel_agentrole, which is defined in
roles.yml. For example:
esusers useradd agent-user -r remote_marvel_agent -p password
Remote Marvel Agent Role.
remote_marvel_agent: cluster: [ "manage_index_templates" ] indices: - names: '.marvel-es-*' privileges: [ "all" ]
On each node in the cluster being monitored, configure a Marvel HTTP exporter in
elasticsearch.ymland resart Elasticsearch. In the exporter configuration, you need to:
Specify the location of the monitoring cluster in the
Provide the agent user credentials with the
marvel.agent.exporters: id1: type: http host: ["http://es-mon1:9200", "http://es-mon2:9200"] auth: username: agent-user password: password
If SSL/TLS is enabled on the monitoring cluster:
- Specify the HTTPS protocol when setting the monitoring server host.
Specify a truststore that contains the CA certificate to use to verify the identities of the
nodes in the monitoring cluster. You need to set the
marvel.agent.exporters: id1: type: http host: ["https://es-mon1:9200", "https://es-mon2:9200"] auth: username: agent-user password: password ssl: truststore.path: /path/to/file truststore.password: password id2: type: local
- Set the