ElasticSearch Installation
ElasticSearch Setup Guide
Section titled “ElasticSearch Setup Guide”ELK stack or any managed service ELK stack like elastic.co or Elasticsearch instance of AWS or any other Cloud provider.
Supported Elastic Version
- The installation guide is based on the v7.13.3 or above
ElasticSearch Service should be configured to collect data like hacking report, user activity reports. DoveRunner Mobile App Security is using many custom objects to manage reports and daily batch jobs. As Those Objects can’t be imported automatically, Customers should create those objects manually.
Create index Life Cycle Policy
Section titled “Create index Life Cycle Policy”ElasticSearch has a life cycle policy to remove old index files from disks. Index Life Cycle Policy can be changed on the customer’s requirement. As ElasticSearch provides many options for “index life cycle”, it will be helpful to check the options available.
create svc-lifecycle policy
Section titled “create svc-lifecycle policy”PUT _ilm/policy/svc_lifecycle{ "policy" : { "phases" : { "hot" : { "min_age" : "0ms", "actions" : { } }, "delete" : { "min_age" : "10d", "actions" : { "delete" : { "delete_searchable_snapshot" : true } } } } }}create svc_ios_lifecycle policy
Section titled “create svc_ios_lifecycle policy”PUT _ilm/policy/svc_ios_lifecycle{ "policy" : { "phases" : { "hot" : { "min_age" : "0ms", "actions" : { } }, "delete" : { "min_age" : "10d", "actions" : { "delete" : { "delete_searchable_snapshot" : true } } } } }}Create index templates
Section titled “Create index templates”Index Templates for managing “alias” and configuring the structure of indexes. Alias is used to control several index files with the same name.
Index template for AOS Running Reports
Section titled “Index template for AOS Running Reports”PUT /_index_template/template_svc_running{ "priority" : 0, "index_patterns" : [ "svc_running_*" ], "template": { "settings" : { "index" : { "lifecycle" : { "name" : "svc_lifecycle" }, "number_of_replicas" : "0", "refresh_interval" : "90s" } }, "mappings" : { }, "aliases" : { "svc_running_raw" : { } } }}Index template for AOS Hacking Reports
Section titled “Index template for AOS Hacking Reports”PUT /_index_template/template_svc_hacking{ "priority" : 0, "index_patterns" : [ "svc_hacking*" ], "template": { "settings" : { "index" : { "lifecycle" : { "name" : "svc_lifecycle" }, "number_of_replicas" : "1", "refresh_interval" : "90s" } }, "mappings" : { }, "aliases" : { "svc_hacking_raw" : { } } }}Index template for IOS Running Reports
Section titled “Index template for IOS Running Reports”PUT /_index_template/template_svc_ios_running{ "priority" : 0, "index_patterns" : [ "svc_ios_running*" ], "template": { "settings" : { "index" : { "lifecycle" : { "name" : "svc_ios_lifecycle" } } }, "mappings" : { }, "aliases" : { "svc_ios_running_raw" : { } } }}Index template for IOS Hacking Reports
Section titled “Index template for IOS Hacking Reports”PUT /_index_template/template_svc_ios_hacking{ "priority" : 0, "index_patterns" : [ "svc_ios_hacking*" ], "template": { "settings" : { "index" : { "lifecycle" : { "name" : "svc_ios_lifecycle" } } }, "mappings" : { }, "aliases" : { "svc_ios_hacking_raw" : { } } }}Create rollup job for Usage report
Section titled “Create rollup job for Usage report”Rollup Job is to create Daily Statistics on User Activities, Crashes, Hacking Attempts. If Rollup Job is not working properly, DoveRunner Mobile App Security can’t provide any daily report regarding DAU, MAU, or Hacking Attempts.
Rollup Job should be created after the successful collection of reports.(includes Running/Crash/Hacking reports)
create alias for AOS rollup index
Section titled “create alias for AOS rollup index”PUT _rollup/job/svc_rollup_running_dad{ "index_pattern" : "svc_running_raw", "rollup_index" : "svc_rollup_index_running_dad", "cron" : "0 * * * * ?", "groups" : { "date_histogram" : { "fixed_interval" : "24h", "field" : "register_datetime", "delay" : "30m", "time_zone" : "UTC" }, "terms" : { "fields" : [ "android_id.keyword", "error_code.keyword", "package_name.keyword", "platform.keyword", "sealing_mode.keyword" ] } }, "metrics" : [ ], "timeout" : "60s", "page_size" : 10000}create alias for AOS rollup hacking index
Section titled “create alias for AOS rollup hacking index”PUT _rollup/job/svc_rollup_hacking_dad{ "index_pattern" : "svc_hacking_raw", "rollup_index" : "svc_rollup_index_hacking_dad", "cron" : "0 0 * * * ?", "groups" : { "date_histogram" : { "fixed_interval" : "24h", "field" : "register_datetime", "delay" : "30m", "time_zone" : "UTC" }, "terms" : { "fields" : [ "android_id.keyword", "android_raw_id.keyword", "app_version_code.keyword", "app_version_name.keyword", "emul_detect.keyword", "emul_name.keyword", "core_version.keyword", "country.keyword", "device_model.keyword", "error_code.keyword", "msg.keyword", "os_version.keyword", "package_name.keyword", "platform.keyword", "rooting.keyword", "sealing_mode.keyword" ] } }, "metrics" : [ ], "timeout" : "20s", "page_size" : 10000}create alias for IOS rollup index
Section titled “create alias for IOS rollup index”PUT _rollup/job/svc_rollup_job_ios_running_dad{ "index_pattern" : "svc_ios_running_raw", "rollup_index" : "svc_rollup_index_ios_running_dad", "cron" : "0 0 * * * ?", "groups" : { "date_histogram" : { "fixed_interval" : "24h", "field" : "register_datetime", "delay" : "30m", "time_zone" : "UTC" }, "terms" : { "fields" : [ "app_name.keyword", "bundle_id.keyword", "country.keyword", "device_model.keyword", "device_uuid.keyword", "error_code.keyword", "jailbreak.keyword", "msg.keyword", "os_version.keyword", "sdk_version.keyword", "sealing_mode.keyword" ] } }, "metrics" : [ ], "timeout" : "20s", "page_size" : 10000}create alias for IOS rollup hacking index
Section titled “create alias for IOS rollup hacking index”PUT _rollup/job/svc_rollup_job_ios_hacking_dad{ "index_pattern" : "svc_ios_hacking_raw", "rollup_index" : "svc_rollup_index_ios_hacking_dad", "cron" : "0 0 * * * ?", "groups" : { "date_histogram" : { "fixed_interval" : "24h", "field" : "register_datetime", "delay" : "30m", "time_zone" : "UTC" }, "terms" : { "fields" : [ "app_name.keyword", "bundle_id.keyword", "country.keyword", "device_model.keyword", "device_uuid.keyword", "error_code.keyword", "jailbreak.keyword", "msg.keyword", "os_version.keyword", "sdk_version.keyword", "sealing_mode.keyword" ] } }, "metrics" : [ ], "timeout" : "20s", "page_size" : 10000}Create Alias for Rollup Index
Section titled “Create Alias for Rollup Index”If Aliases for rollup indexes are available, DoveRunner Mobile App Security can have many individual rollup indexes on monthly basis.
Below are the commands used to create aliases for rollup indexes.
PUT svc_rollup_index_running_dad/_alias/svc_rollup_indices_running_dadPUT svc_rollup_index_hacking_dad/_alias/svc_rollup_indices_hacking_dadPUT svc_rollup_index_ios_hacking_dad/_alias/svc_rollup_indices_ios_hacking_dadPUT svc_rollup_index_ios_running_dad/_alias/svc_rollup_indices_ios_running_dad