This integration allows for the importation, searching, and viewing of application log data from within ServiceNow.
The solution consists of 3 logical tiers of infrastructure.
The end-user interface is written natively for ServiceNow. The ServiceNow Update Sets outlined below include enhancements which provide an interface for free-form searching of log data according to various parameters. An additional Alert-specific component intelligently retrieves logs related to any given Alert appearing within Perspectium's ServiceNow application.
ServiceNow communicates over RESTful HTTP(s) to a backend Microservice which provides an API for searching and retrieving log messages. Communication to this tier is configurable within ServiceNow under a properties page for the Elasticsearch module.
Behind the solution lies the so-called ELK stack, which requires an installation of Elasticsearch, Logstash, and Kibana. See http://www.elastic.co for more information. Application log data is required to be preformatted into JSON documents which adhere to the schema for Logstash documents. Perspectium's application logging utilizes an enhanced schema with additional fields for application name, version, and cluster. These additions give easy semantic meaning for a multi-data-center enterprise installation.
Before transmission for final storage into Elasticsearch, log data is enhanced with additional fields by Elasticsearch Filebeat. More information for configuring application nodes for Cloud Logging is available from Perspectium's Knowledgebase: Manual configuration of MBS node for Cloud Logging (Elasticsearch). All Docker images are pre-configured with our Cloud Logging capability (which is activated by providing Logstash host information in the Docker environment variables used to start the image).
The update sets should be installed in this order:
Once both update sets have been installed, the Perspectium app in the ServiceNow menu should show the Elasticsearch module.
The properties under the Perspectium Elasticsearch module must be configured before the functionality can be utilized.
If the following values have not already been provided to you, please contact email@example.com.
|PSP Elasticsearch Properties|
|Elasticsearch Service URL||The URL to the Elasticsearch Microservice|
|Elasticsearch Service User||The username used to authenticate to the Elasticsearch Microservice|
|Elasticsearch Service Password||The password used to authenticate to the Elasticsearch Microservice|
|+/- Retrieval Interval for Alerts (seconds)||Log messages for alerts are retrieved partially by the timestamp of the alert. This value configures the number of seconds before and after an alert for which logs will be retrieved.|
The Find Logs capability for Perspectium Alerts is integrated into the form view for an individual alert. To use it, navigate into a specific alert and click the “Find Logs” button.
Upon clicking Find Logs, related logs will be retrieved and displayed in the grid below the Alert detail.
The system will attempt an initial search for logs on a specific host signified by the “key” value of the alert. In the event no logs are located specific to the host, an informational message will be displayed and a broader search automatically launched. Alerts are always retrieved by timestamp according to the configured interval on the properties page.
Exact log matches with a given alert (matching key/host, message, and timestamp) are automatically highlighted with a red dot on the timestamp entry for ease of use.