# ElasticSearch Installation
# ElasticSearch Setup Guide
ELK stack or any managed service ELK stack like elastic.co (opens new window) or Elasticsearch instance of AWS or any other Cloud provider.
Supported Elastic Version
- The installation guide is based on the v7.13.3 or above
ElasticSearch Service should be configured to collect data like hacking report, user activity reports. AppSealing is using many custom objects to manage reports and daily batch jobs. As Those Objects can’t be imported automatically, Customers should create those objects manually.
# Create index Life Cycle Policy
ElasticSearch has a life cycle policy to remove old index files from disks. Index Life Cycle Policy can be changed on the customer’s requirement. As ElasticSearch provides many options for “index life cycle”, it will be helpful to check the options available.
# create svc-lifecycle policy
PUT _ilm/policy/svc_lifecycle
{
"policy" : {
"phases" : {
"hot" : {
"min_age" : "0ms",
"actions" : { }
},
"delete" : {
"min_age" : "10d",
"actions" : {
"delete" : {
"delete_searchable_snapshot" : true
}
}
}
}
}
}
# create svc_ios_lifecycle policy
PUT _ilm/policy/svc_ios_lifecycle
{
"policy" : {
"phases" : {
"hot" : {
"min_age" : "0ms",
"actions" : { }
},
"delete" : {
"min_age" : "10d",
"actions" : {
"delete" : {
"delete_searchable_snapshot" : true
}
}
}
}
}
}
# Create index templates
Index Templates for managing “alias” and configuring the structure of indexes. Alias is used to control several index files with the same name.
# Index template for AOS Running Reports
PUT /_index_template/template_svc_running
{
"priority" : 0,
"index_patterns" : [
"svc_running_*"
],
"template": {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "svc_lifecycle"
},
"number_of_replicas" : "0",
"refresh_interval" : "90s"
}
},
"mappings" : { },
"aliases" : {
"svc_running_raw" : { }
}
}
}
# Index template for AOS Hacking Reports
PUT /_index_template/template_svc_hacking
{
"priority" : 0,
"index_patterns" : [
"svc_hacking*"
],
"template": {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "svc_lifecycle"
},
"number_of_replicas" : "1",
"refresh_interval" : "90s"
}
},
"mappings" : { },
"aliases" : {
"svc_hacking_raw" : { }
}
}
}
# Index template for IOS Running Reports
PUT /_index_template/template_svc_ios_running
{
"priority" : 0,
"index_patterns" : [
"svc_ios_running*"
],
"template": {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "svc_ios_lifecycle"
}
}
},
"mappings" : { },
"aliases" : {
"svc_ios_running_raw" : { }
}
}
}
# Index template for IOS Hacking Reports
PUT /_index_template/template_svc_ios_hacking
{
"priority" : 0,
"index_patterns" : [
"svc_ios_hacking*"
],
"template": {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "svc_ios_lifecycle"
}
}
},
"mappings" : { },
"aliases" : {
"svc_ios_hacking_raw" : { }
}
}
}
# Create rollup job for Usage report
Rollup Job is to create Daily Statistics on User Activities, Crashes, Hacking Attempts. If Rollup Job is not working properly, AppSealing can’t provide any daily report regarding DAU, MAU, or Hacking Attempts.
Rollup Job should be created after the successful collection of reports.(includes Running/Crash/Hacking reports)
# create alias for AOS rollup index
PUT _rollup/job/svc_rollup_running_dad
{
"index_pattern" : "svc_running_raw",
"rollup_index" : "svc_rollup_index_running_dad",
"cron" : "0 * * * * ?",
"groups" : {
"date_histogram" : {
"fixed_interval" : "24h",
"field" : "register_datetime",
"delay" : "30m",
"time_zone" : "UTC"
},
"terms" : {
"fields" : [
"android_id.keyword",
"error_code.keyword",
"package_name.keyword",
"platform.keyword",
"sealing_mode.keyword"
]
}
},
"metrics" : [ ],
"timeout" : "60s",
"page_size" : 10000
}
# create alias for AOS rollup hacking index
PUT _rollup/job/svc_rollup_hacking_dad
{
"index_pattern" : "svc_hacking_raw",
"rollup_index" : "svc_rollup_index_hacking_dad",
"cron" : "0 0 * * * ?",
"groups" : {
"date_histogram" : {
"fixed_interval" : "24h",
"field" : "register_datetime",
"delay" : "30m",
"time_zone" : "UTC"
},
"terms" : {
"fields" : [
"android_id.keyword",
"android_raw_id.keyword",
"app_version_code.keyword",
"app_version_name.keyword",
"emul_detect.keyword",
"emul_name.keyword",
"core_version.keyword",
"country.keyword",
"device_model.keyword",
"error_code.keyword",
"msg.keyword",
"os_version.keyword",
"package_name.keyword",
"platform.keyword",
"rooting.keyword",
"sealing_mode.keyword"
]
}
},
"metrics" : [ ],
"timeout" : "20s",
"page_size" : 10000
}
# create alias for IOS rollup index
PUT _rollup/job/svc_rollup_job_ios_running_dad
{
"index_pattern" : "svc_ios_running_raw",
"rollup_index" : "svc_rollup_index_ios_running_dad",
"cron" : "0 0 * * * ?",
"groups" : {
"date_histogram" : {
"fixed_interval" : "24h",
"field" : "register_datetime",
"delay" : "30m",
"time_zone" : "UTC"
},
"terms" : {
"fields" : [
"app_name.keyword",
"bundle_id.keyword",
"country.keyword",
"device_model.keyword",
"device_uuid.keyword",
"error_code.keyword",
"jailbreak.keyword",
"msg.keyword",
"os_version.keyword",
"sdk_version.keyword",
"sealing_mode.keyword"
]
}
},
"metrics" : [ ],
"timeout" : "20s",
"page_size" : 10000
}
# create alias for IOS rollup hacking index
PUT _rollup/job/svc_rollup_job_ios_hacking_dad
{
"index_pattern" : "svc_ios_hacking_raw",
"rollup_index" : "svc_rollup_index_ios_hacking_dad",
"cron" : "0 0 * * * ?",
"groups" : {
"date_histogram" : {
"fixed_interval" : "24h",
"field" : "register_datetime",
"delay" : "30m",
"time_zone" : "UTC"
},
"terms" : {
"fields" : [
"app_name.keyword",
"bundle_id.keyword",
"country.keyword",
"device_model.keyword",
"device_uuid.keyword",
"error_code.keyword",
"jailbreak.keyword",
"msg.keyword",
"os_version.keyword",
"sdk_version.keyword",
"sealing_mode.keyword"
]
}
},
"metrics" : [ ],
"timeout" : "20s",
"page_size" : 10000
}
# Create Alias for Rollup Index
If Aliases for rollup indexes are available, Appsealing can have many individual rollup indexes on monthly basis.
Below are the commands used to create aliases for rollup indexes.
PUT svc_rollup_index_running_dad/_alias/svc_rollup_indices_running_dad
PUT svc_rollup_index_hacking_dad/_alias/svc_rollup_indices_hacking_dad
PUT svc_rollup_index_ios_hacking_dad/_alias/svc_rollup_indices_ios_hacking_dad
PUT svc_rollup_index_ios_running_dad/_alias/svc_rollup_indices_ios_running_dad