Follow the steps below to configure Cyral to output repository activity logs to ELK.
Contact your Cyral support representative to get the deployment template for your cloud environment, and then follow the steps below.
Use the ELK Terraform template provided by the Cyral support team to deploy the AWS Elasticsearch service using Terraform. In the template for ELK, enter the appropriate values based on where you’d like to deploy the ELK cluster.
NOTE: The ELK cluster must be deployed in the same VPC as your sidecar for it to receive logs from the sidecar. Verify that your AWS account has the appropriate IAM role to deploy the ELK cluster by running the following command:
aws iam get-role --role-name “AWSServiceRoleForAmazonElasticsearchService”
If this command yields an error, then set
es_create_iam_service_linked_role in the Terraform template to
true — otherwise, set it to
With the values populated in the Terraform template, deploy the ELK stack by running the following:
terraform initterraform apply
Once installation is complete, you will see the following output containing your Kibana endpoint.
Apply complete! Resources: 4 added, 1 changed, 0 destroyed.Outputs:kibana_access = To access kibana visit: http://188.8.131.52:5601
Use the ELK CloudFormation template provided by the Cyral support team to deploy the AWS Elasticsearch service using AWS CloudFormation, taking note of the following steps:
First, set the
RemoteAccessCIDR range to your corporate IP
addresses while deploying the stack to restrict access to Kibana.
Next, the IAM role
required to install the ELK template. If it does not yet exist, create it
with the following command:
aws iam create-service-linked-role --aws-service-name es.amazonaws.com
Note: The ELK stack needs to be deployed in the same VPC containing your sidecar.
Once the deployment is complete, take note of the BastionEIP value which is address of the bastion host. You'll find this in the Outputs tab in CloudFormation. It will be used in the next step.
In this example, our endpoint is
Deploy the ELK stack to Kubernetes using Helm 3. Download the Helm3 template for ELK and enter the appropriate values in the template based on the where you'd like to deploy the ELK cluster.
helm repo add elastic https://helm.elastic.co
kubectl create namespace $SIDECAR_NAMESPACE
helm install cyral-elasticsearch elastic/elasticsearch --namespace $SIDECAR_NAMESPACE --set imageTag=7.4.2 --set service.type=LoadBalancer
helm install cyral-kibana elastic/kibana --namespace $SIDECAR_NAMESPACE --set imageTag=7.4.2 --set service.type=LoadBalancer
Now that the AWS Elasticsearch service is deployed, let's integrate it with Cyral.
- In the Cyral management console, click Integrations, find the ELK card, and click Configure or Setup.
In the ELK configuration form, you will be prompted to enter the following:
- Integration Name: Integration name of your choice.
- Kibana URL: The Kibana server's hostname. If you're using Terraform, this matches the Terraform template provided by ELK (
kibana.local, by default).
- Elasticsearch URL: Address where Elasticsearch is available. By default, this is
- Click Save to connect the integration.
Each sidecar that will send logs to this log destination will need to be deployed with its Log Integration set to the Integration Name you specified above.
When deploying new sidecars, make sure to choose the name of this Log Integration when you generate the template.
NOTE: Sidecars that are already deployed will need to be redeployed.
Once the ELK integration is configured, administrators will be able to view and monitor data repository activity logs in Kibana.
- Set up an ELK stack
- Turn on data activity monitoring for your repository
- Specify your logging preferences for each repository monitored by Cyral.
If you haven't already done so, run a few queries to generate query logs.
- If your repository is set to log all activity, any query will do.
- If you have a policy that logs only certain types of activity, run a query that falls within the scope of the policy.
Access the Kibana dashboard as shown here for your cloud platform:
- AWS Elasticsearch
In your browser, visit the Kibana dashboard address provided in the Terraform or Cloudformation output from your deployment. See Set up an ELK stack for deployment details.
Before you can connect to Kibana on Kubernetes, you must forward a local port to a port on the Kibana pod:
kubectl port-forward --namespace $SIDECAR_NAMESPACE svc/cyral-kibana-kibana 5601:5601
Once port forwarding is established, use your browser to visit
To limit the view to show only query logs by, search for the log field
endUser in the search bar.
Cyral provides a dashboard you can import into your Kibana to observe
performance insights based on the query logs generated by your
sidecars. Importing this also creates an index matching the pattern
filebeat* to capture logs produced by sidecars.
Download the Performance Insights Dashboard file by clicking Integrations: ELK: Configure and clicking the Download Kibana Dashboards button.
Navigate to the Saved Objects tab in the Management page (in the sidebar), and click Import. You can expand the sidebar using the button in the bottom left of the screen to make navigation easier.
performance-insights-dashboard.ndjsonfile, check the toggle to Automatically overwrite all saved objects, and click open.
The Performance Insights dashboard should now be available, and you can find it by navigating to the Dashboards page (in the sidebar).