Forwarding Events to Elasticsearch 1.x

OpenNMS can be configured to forward all Events and Alarms to Elasticsearch 1.x for indexing, long time archiving, plotting with Grafana and browsing with Kibana.

Elasticsearch is not intended as a replacement for PostgreSQL which is still a required component to run OpenNMS.

First check that your OpenNMS installation supports this feature. If it does there should be a ${OPENNMS_HOME}/etc/org.opennms.features.elasticsearch.eventforwarder.cfg file.

Now open the file, review its content and make sure to apply the correct settings depending on your environment.

The following table describes all settings and possible values.

Parameter Default Description

elasticsearchCluster

opennms

The name of the Elasticsearch cluster as specified in the Elasticsearch configuration file (required).

elasticsearchIp

localhost

the TransportClient remote host ip to use. Has the same meaning as the ip options of the camel-elasticsearch component

logEventDescription

false

Whether to forward the event description to Elasticsearch. The reason it is off by default is that it is usually some standard, generic, repetitive and possibility long text which will grow the index without adding useful information.

cache_max_ttl

0

The number of minutes the node information is kept in the cache. Set to 0 to disable (which is the default and is generally safe because the cache knows when to refresh itself, by intercepting nodeUpdated and similar events)

cache_max_size

10000

The number of node information entries to be kept in the cache before eviction start. Set to 0 to disable.

The first two (elasticsearchCluster and elasticsearchIp) settings are the most likely to require changing. If unsure do not change the remaining three.

Once you are sure everything is correctly configured you can activate the Elasticsearch forwarder by log into the OSGi console and install the feature.

OSGi login and installation of the Elasticsearch forwarder
ssh admin@localhost -p 8101
features:install opennms-elasticsearch-event-forwarder

You can check the routes status with the camel:* commands and/or inspect the log with log:tail for any obvious errors. The feature has a trace level logging that can be used to trace operations.

documentation on using the OSGi console embedded in OpenNMS and the relative camel commands.

If all goes well events and alarms will be pushed in realtime into Elasticsearch. You should now be able to view the events and graph them with Kibana.

If you have never used Kibana before you should probably start with Kibana 3 which is simpler. Kibana 4 is more powerful, but harder to get started with.

A basic Elasticsearch configuration

This section describes to get a minimal working configuration with OpenNMS and Elasticsearch. Install Elasticsearch on the same host as OpenNMS and edit the elasticsearch.yml as follows:

Example configuration for Elasticsearch
cluster.name: opennms
network.host: 127.0.0.1
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["127.0.0.1"]
Running OpenNMS and Elasticsearch on the same host is not recommended for production or busy environments.

Troubleshooting

If events are not reaching Elasticsearch check if OpenNMS is correctly configured, in particular review the elasticsearchCluster and elasticsearchIp parameters.

If those appear to be correct verify that OpenNMS can communicate with Elasticsearch over port 9300.

Review the OSGi log with log:tail or the camel:* commands.