Configure Elasticsearch integrations

  • Release version: Washingtondc
  • Updated December 11, 2024
  • 3 minutes to read

    • Configure an integration for seamless log data streaming from Elasticsearch indices to your instance for processing by Health Log Analytics.

    Before you begin

    Note:
    Health Log Analytics supports Elasticsearch versions 5.4 and above. For advanced information about streaming log data from Elasticsearch indices to your instance, see the Stream logs using Elasticsearch data input - Advanced guide [KB1080162] article in the Now Support knowledge base.
    • Ensure that the Health Log Analytics application is installed and provisioned on your instance. For more information, see Health Log Analytics installation.
    • Ensure that a service instance is available.
    • Ensure that the Health Log Analytics AI Engine is up and running.
    • You must have an installed and configured MID Server with the log ingestion capability enabled.
    • If the MID Server IP address is exposed by network address translation (NAT), a load balancer or a similar device, it must have a public IP address. In the MID Server properties, add a property named mid.public_ip with the public IP address as the value. For more information, see Create a MID Server property.

    Role required: evt_mgmt_admin

    Procedure

    1. Navigate to Workspaces > Service Operations Workspace.
    2. From the left pane, select the Integrations Launchpad icon (Integration Launchpad icon)
    3. In the Browse integrations tab, enter Elasticsearch in the search field.
    4. Select the Elasticsearch integration tile.
      Note:
      If you started the integration process without meeting all the prerequisites listed in the Before you begin section, a message appears. You have the option to cancel the integration and complete the missing requirements, or continue in draft mode and fulfill them later. Keep in mind that you can only activate a configured integration when all the prerequisites are met.
    5. On the Provide details form, fill in the fields.
      For a description of the fields, see the Provide details table in Elasticsearch integration configuration fields.
    6. Select Next.
    7. On the Set data retrieval method form, fill in the fields.
      This form requires you to specify which log data should be retrieved from the device, the extraction method, and how to stream the data to the instance. For a description of the fields, see Elasticsearch integration configuration fields.
    8. Optional: Select Advanced settings to set advanced configuration fields.
      For a description of the fields, see the Advanced settings table in Elasticsearch integration configuration fields.
    9. Select Test and save.
      The system saves the new integration to the database and tests the configured port, returning either success or an error. If an error is returned, make adjustments to your configuration according to the suggestions on the screen, and then select Test and save again. Once the test is successful, you can activate theintegration.
    10. Select Activate.
      Note:
      You can only activate a configured integration when you have fulfilled all the prerequisites listed in the Before you begin section.
      The integration is activated and the Overview tab is displayed.
    11. Optional: If you installed the integration in draft mode, perform these steps to activate it:
      1. Complete the integration prerequisites.
      2. In the Integrations Launchpad Installed integrations tab, under Waiting for your action, locate and select the integration.
      3. On the Set data retrieval method tab, select Activate to activate the integration.

    Result

    Log data starts streaming to your ServiceNow instance. The tile for the integration is available in the Installed integrations tab on the Integrations Launchpad.

    Users with the evt_mgmt_user role can use Event Management to monitor the logs and view the alerts that Health Log Analytics generates from them.

    What to do next

    Review the log data streaming status and sources of the integration on the Overview tab. Leverage the displayed information to refine how HLA reads the log data by adjusting your integration configuration. For more information, see Review log data streaming status and sources of an integration.
    Note:
    You can go directly from this tab to the Data Input Mapping, Source Type Structures, and Log Sources pages with context from the integration. If the log data is not properly mapped, structured, or sourced, you can go back and adjust the configuration of the integration.
    1. Select the View menu icon (View menu icon.).
    2. Choose the appropriate menu option.
    3. Review the displayed information.
    4. Adjust the integration configuration if needed.