/monitor-analytics web application
This installation step is only necessary if interaction data is to be collected within map.apps on the client side. |
To install the webapp of service.monitor deploy the given WAR file from monitor-analytics.war
to the Servlet Container that shall be used.
To change the default configuration values,
-
copy the file
\monitor-analytics\WEB-INF\classes\custom-application.properties
to[data.directory.location]/application.properties
, -
change the necessary values and
-
restart the Servlet Container or reload the context.
Configuration
Logstash - Send interation data
If the Logstash service is installed on a different host than localhost, configure it in the application.properties
and connect it to the Logstash service.
analytics.gelf.server=myserver.domain.de
analytics.gelf.port=12201
It is also possible to change the port, on which outgoing log messages are send.
If you change the port in the application.properties
file, change the listening port in the Logstash configuration at /resources/analytics/elasticsearch/logstash/pipelines/ct-analytics/logstash-analytics-100-input.conf
to open the port to receive messages.
After any configuration changes, restart the related component.
Restrict log endpoint access
It may be desired to restrict access to the /usage/log
endpoint for persisting data.
This can be done by setting up a list of allowed host names.
Those host names will be tested against the HTTP Header value Referer
.
The referrer value typically contains the url of the web page sending the request.
analytics.usagelog.referers=*
The default setting allows for sending /usage/log
requests from anywhere.
Example
With the following setting, the restrictions below apply.
analytics.usagelog.referers=mydomain.com,https://www.myotherdomain.eu
The endpoint allows requests from pages that have, for example, the following HTTP header values:
-
http://mydomain.com/application/index.html
-
https://mydomain.com/webapp/somePage.jsp
-
https://www.myotherdomain.eu/client.aspx
The endpoint would not allow or store requests with such referrer values:
-
http://www.myotherdomain.eu/client.aspx
because the setting explicitly points to https protocol. -
http://www.conterra.de/some-page.html
because the URL is not listed in the property.
Elasticsearch - Query collected data
Changes to the application.properties
are necessary, for example, if Elasticsearch runs on another host than http://localhost:9200
.
In this case, the service URL has to be configured to connect the webapp with Elasticsearch.
Also, if Elastic requires username and password for access, credentials can be configured here.
analytics.elasticsearch.service.url=http://myserver:9200/analytics-*/_search
analytics.elasticsearch.service.user=<user>
analytics.elasticsearch.service.pwd=<password>
service.monitor Usage Log webapp provides a security layer to secure queries against the Elasticsearch indices. To protect the loggend data against unwanted access, it is HIGHLY RECOMMENDED to change the properties.
Use a hash algorithm to encrypt it by setting the property Note, that
|
Access to data
There are several levels of security available when it comes to protection of the collected data. It is not recommend making the search index publicly accessible. Access should be restricted to authorized persons only.
Therefore, the product allows configuring three different modes of authentication:
- NONE
-
Access to collected data is completely unrestricted.
- INTEGRATED
-
Access to collected data is granted for authorized users only.
Authentication happens via http/BASIC auth. There is one single user available.
Its credentials are configurable via
application.properties
:security.mode=INTEGRATED security.user.admin.name= security.user.admin.pw=
- ONLY_AUTHN
-
Access to collected data is granted for authorized users only.
Authentication happens via security.manager and its SSO Domain Cookie support. This allows for a seamless SSO Experience. Necessary configuration properties are available via
application.properties
, please refer to your security.manager or map.apps configuration:security.mode=ONLY_AUTHN security.sso.cookie.name=ct_SSO security.sso.cookie.domain= security.sso.cookie.bindToIP=false # security.manager service locations security.administration.url=http://<host>/administration security.was.service.url=$\{security.administration.url\}/WAS security.sso.service.url=$\{security.administration.url\}/resources/ssosessions security.sso.token.service.url=$\{security.administration.url\}/token/ssosession # Key Store Properties security.keystore.location=<some path> security.keystore.passwd=changeit security.keystore.key.alias=ct-security security.keystore.key.passwd=changeit
Access is granted, if authenticated user owns the role mon_Redakteur .
The name of the role can be defined in application.properties via servicemonitor.admin.role .
|
Overview of all default values
See \monitor-analytics\WEB-INF\classes\default-application.properties
for an overview of the default values of the used properties.
The default value for In case the Tomcat server is operated as a windows service this folder corresponds to the user that executes the Tomcat service.
If no such user is configured the Tomcat server runs under the system user’s account (not recommended!).
In this case the If a custom folder should be used to store Analytics data, define this path in |
Linux
When installing service.monitor on Linux systems, you have to change the following parameter in configuration file
to e.g.
|