Certificate Manager Log Management ELK
Certificate Manager Log Management ELK คืออะไร
Certificate Manager คือระบบจัดการ SSL/TLS certificates ตลอด lifecycle ตั้งแต่ออก, ติดตั้ง, renew จนถึง revoke ELK Stack (Elasticsearch, Logstash, Kibana) เป็น open-source log management platform ที่ใช้รวบรวม วิเคราะห์ และแสดงผล logs จากทุกระบบ การรวม Certificate Manager กับ ELK ช่วยให้ monitor certificate events ได้ real-time ตรวจจับ certificates ที่ใกล้หมดอายุ วิเคราะห์ security incidents จาก certificate errors และสร้าง compliance reports อัตโนมัติ
ELK Stack Architecture
# elk_arch.py — ELK Stack architecture for cert management
import json
class ELKArchitecture:
COMPONENTS = {
"elasticsearch": {
"name": "Elasticsearch",
"role": "Search & Analytics Engine — เก็บและค้นหา logs",
"description": "Distributed search engine บน Apache Lucene — index, search, aggregate logs",
"port": 9200,
},
"logstash": {
"name": "Logstash",
"role": "Data Pipeline — รับ, แปลง, ส่ง logs",
"description": "Input → Filter → Output pipeline สำหรับ process logs ก่อนส่ง Elasticsearch",
"port": 5044,
},
"kibana": {
"name": "Kibana",
"role": "Visualization — dashboard และ analytics",
"description": "Web UI สำหรับ visualize data จาก Elasticsearch — charts, maps, alerts",
"port": 5601,
},
"filebeat": {
"name": "Filebeat",
"role": "Log Shipper — ส่ง log files ไป Logstash/Elasticsearch",
"description": "Lightweight agent ติดตั้งบน servers — อ่าน log files แล้วส่งต่อ",
},
}
DOCKER_COMPOSE = """
# docker-compose.yml — ELK Stack
version: '3.8'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.12.0
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
ports:
- "9200:9200"
volumes:
- esdata:/usr/share/elasticsearch/data
logstash:
image: docker.elastic.co/logstash/logstash:8.12.0
ports:
- "5044:5044"
volumes:
- ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
depends_on:
- elasticsearch
kibana:
image: docker.elastic.co/kibana/kibana:8.12.0
ports:
- "5601:5601"
depends_on:
- elasticsearch
volumes:
esdata:
"""
def show_components(self):
print("=== ELK Stack Components ===\n")
for key, comp in self.COMPONENTS.items():
print(f"[{comp['name']}] — {comp['role']}")
print(f" {comp['description']}")
print()
def show_docker(self):
print("=== Docker Compose ===")
print(self.DOCKER_COMPOSE[:500])
elk = ELKArchitecture()
elk.show_components()
elk.show_docker()Certificate Log Pipeline
# cert_pipeline.py — Logstash pipeline for certificate logs
import json
class CertLogPipeline:
LOGSTASH_CONFIG = """
# logstash.conf — Certificate log processing pipeline
input {
# Filebeat input for cert logs
beats {
port => 5044
tags => ["certificate"]
}
# HTTP input for cert manager webhooks
http {
port => 8080
codec => json
tags => ["cert-webhook"]
}
# File input for certbot logs
file {
path => "/var/log/letsencrypt/letsencrypt.log"
start_position => "beginning"
tags => ["certbot"]
}
}
filter {
# Parse certificate events
if "certificate" in [tags] {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:event_message}"
}
}
# Extract certificate details
if "certificate" in [event_message] {
grok {
match => {
"event_message" => "domain=%{HOSTNAME:domain} serial=%{DATA:serial} expires=%{TIMESTAMP_ISO8601:expiry_date}"
}
tag_on_failure => ["_cert_parse_failed"]
}
}
# Calculate days until expiry
ruby {
code => '
if event.get("expiry_date")
expiry = Time.parse(event.get("expiry_date"))
days_left = ((expiry - Time.now) / 86400).to_i
event.set("days_until_expiry", days_left)
if days_left <= 7
event.set("cert_status", "critical")
elsif days_left <= 30
event.set("cert_status", "warning")
else
event.set("cert_status", "ok")
end
end
'
}
}
# Parse certbot logs
if "certbot" in [tags] {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp} - certbot - %{LOGLEVEL:level} - %{GREEDYDATA:certbot_message}"
}
}
if "renewed" in [certbot_message] {
mutate { add_field => { "cert_event" => "renewal_success" } }
}
if "failed" in [certbot_message] {
mutate { add_field => { "cert_event" => "renewal_failed" } }
}
}
# Add metadata
mutate {
add_field => { "[@metadata][index]" => "certificates-%{+YYYY.MM}" }
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "%{[@metadata][index]}"
}
# Alert on critical certificates
if [cert_status] == "critical" {
http {
url => "https://hooks.slack.com/services/xxx"
http_method => "post"
format => "json"
mapping => {
"text" => "CERT CRITICAL: %{domain} expires in %{days_until_expiry} days!"
}
}
}
}
"""
def show_pipeline(self):
print("=== Logstash Pipeline ===")
print(self.LOGSTASH_CONFIG[:600])
pipeline = CertLogPipeline()
pipeline.show_pipeline()Python Certificate Monitor
# cert_monitor.py — Python certificate monitoring with ELK
import json
class CertMonitor:
CODE = """
# cert_elk_monitor.py — Monitor certificates and send to ELK
import ssl
import socket
import json
import requests
from datetime import datetime
from elasticsearch import Elasticsearch
class CertificateELKMonitor:
def __init__(self, es_host="localhost:9200"):
self.es = Elasticsearch([es_host])
self.index = f"certificates-{datetime.utcnow().strftime('%Y.%m')}"
def check_certificate(self, domain, port=443):
'''Check SSL certificate and return details'''
try:
context = ssl.create_default_context()
with socket.create_connection((domain, port), timeout=10) as sock:
with context.wrap_socket(sock, server_hostname=domain) as ssock:
cert = ssock.getpeercert()
expire_str = cert['notAfter']
expire_date = datetime.strptime(expire_str, '%b %d %H:%M:%S %Y %Z')
days_left = (expire_date - datetime.utcnow()).days
issuer = dict(x[0] for x in cert['issuer'])
subject = dict(x[0] for x in cert['subject'])
san = [entry[1] for entry in cert.get('subjectAltName', [])]
status = 'ok' if days_left > 30 else 'warning' if days_left > 7 else 'critical'
return {
'domain': domain,
'issuer': issuer.get('organizationName', ''),
'subject_cn': subject.get('commonName', ''),
'san': san,
'not_after': expire_date.isoformat(),
'days_until_expiry': days_left,
'cert_status': status,
'serial_number': cert.get('serialNumber', ''),
'version': cert.get('version', ''),
'protocol': ssock.version(),
'cipher': ssock.cipher()[0],
'checked_at': datetime.utcnow().isoformat(),
}
except Exception as e:
return {
'domain': domain,
'cert_status': 'error',
'error': str(e),
'checked_at': datetime.utcnow().isoformat(),
}
def send_to_elk(self, cert_data):
'''Send certificate data to Elasticsearch'''
self.es.index(index=self.index, document=cert_data)
def monitor_domains(self, domains):
'''Monitor multiple domains'''
results = []
for domain in domains:
data = self.check_certificate(domain)
self.send_to_elk(data)
results.append(data)
return results
def get_expiring_certs(self, days=30):
'''Query ELK for expiring certificates'''
query = {
"query": {
"range": {
"days_until_expiry": {"lte": days}
}
},
"sort": [{"days_until_expiry": "asc"}]
}
result = self.es.search(index="certificates-*", body=query)
return [hit['_source'] for hit in result['hits']['hits']]
# monitor = CertificateELKMonitor("localhost:9200")
# domains = ["example.com", "api.example.com", "cdn.example.com"]
# results = monitor.monitor_domains(domains)
"""
def show_code(self):
print("=== Certificate ELK Monitor ===")
print(self.CODE[:600])
monitor = CertMonitor()
monitor.show_code()Kibana Dashboard
# kibana_dashboard.py — Kibana dashboard for certificate monitoring
import json
import random
class KibanaDashboard:
VISUALIZATIONS = {
"cert_status_pie": {
"name": "Certificate Status Distribution",
"type": "Pie Chart",
"query": "agg: terms on cert_status field",
"description": "แสดงสัดส่วน OK / Warning / Critical / Error",
},
"expiry_timeline": {
"name": "Certificate Expiry Timeline",
"type": "Timeline / Bar Chart",
"query": "date_histogram on not_after field",
"description": "แสดงว่า certificates จะหมดอายุเมื่อไหร่ — วางแผน renewal",
},
"renewal_events": {
"name": "Renewal Events Over Time",
"type": "Line Chart",
"query": "date_histogram on checked_at, split by cert_event",
"description": "แสดง renewal success/failure trends",
},
"issuer_breakdown": {
"name": "Certificates by Issuer",
"type": "Bar Chart",
"query": "terms aggregation on issuer field",
"description": "แสดงจำนวน certs แยกตาม CA (Let's Encrypt, DigiCert, etc.)",
},
"domain_table": {
"name": "Domain Certificate Details",
"type": "Data Table",
"query": "top_hits, sorted by days_until_expiry ASC",
"description": "ตาราง domains + expiry date + status — sortable",
},
}
ALERTS = {
"cert_expiring_30d": {
"name": "Certificate Expiring in 30 Days",
"condition": "days_until_expiry <= 30",
"action": "Email + Slack notification",
},
"cert_expiring_7d": {
"name": "Certificate Critical — 7 Days",
"condition": "days_until_expiry <= 7",
"action": "PagerDuty + Slack #incidents",
},
"renewal_failed": {
"name": "Certificate Renewal Failed",
"condition": "cert_event == 'renewal_failed'",
"action": "Slack + Email to security team",
},
}
def show_visualizations(self):
print("=== Kibana Visualizations ===\n")
for key, viz in self.VISUALIZATIONS.items():
print(f"[{viz['name']}] ({viz['type']})")
print(f" {viz['description']}")
print()
def show_alerts(self):
print("=== Kibana Alerts ===")
for key, alert in self.ALERTS.items():
print(f" [{alert['name']}]")
print(f" Condition: {alert['condition']}")
print(f" Action: {alert['action']}")
def sample_dashboard(self):
print(f"\n=== Certificate Dashboard ===")
print(f" Total Certificates: {random.randint(50, 200)}")
print(f" OK: {random.randint(40, 180)}")
print(f" Warning (< 30d): {random.randint(3, 15)}")
print(f" Critical (< 7d): {random.randint(0, 3)}")
print(f" Errors: {random.randint(0, 5)}")
print(f" Renewals (24h): {random.randint(0, 10)} success, {random.randint(0, 2)} failed")
dash = KibanaDashboard()
dash.show_visualizations()
dash.show_alerts()
dash.sample_dashboard()Automation & Compliance
# compliance.py — Certificate compliance automation
import json
class CertCompliance:
COMPLIANCE_CHECKS = {
"expiry": {
"name": "Certificate Expiry Check",
"rule": "ทุก certificate ต้องมีอายุเหลือ > 30 วัน",
"frequency": "ทุกวัน",
},
"key_strength": {
"name": "Key Strength Validation",
"rule": "RSA >= 2048 bits, ECDSA >= 256 bits",
"frequency": "ทุกสัปดาห์",
},
"protocol_version": {
"name": "TLS Version Check",
"rule": "TLS 1.2+ only, ปิด TLS 1.0/1.1",
"frequency": "ทุกสัปดาห์",
},
"cert_chain": {
"name": "Certificate Chain Validation",
"rule": "Chain ต้องครบ — root CA → intermediate → leaf",
"frequency": "ทุกวัน",
},
"san_coverage": {
"name": "SAN Coverage Check",
"rule": "ทุก subdomain ที่ใช้ต้องอยู่ใน SAN",
"frequency": "เมื่อเพิ่ม subdomain ใหม่",
},
}
AUTOMATION_SCRIPT = """
# cert_compliance.py — Automated compliance report
from elasticsearch import Elasticsearch
from datetime import datetime
import json
class CertComplianceReport:
def __init__(self, es_host="localhost:9200"):
self.es = Elasticsearch([es_host])
def generate_report(self):
# Query all certificates
result = self.es.search(
index="certificates-*",
body={
"size": 1000,
"query": {"match_all": {}},
"sort": [{"days_until_expiry": "asc"}],
}
)
certs = [hit['_source'] for hit in result['hits']['hits']]
report = {
"generated_at": datetime.utcnow().isoformat(),
"total_certificates": len(certs),
"status_summary": {
"ok": sum(1 for c in certs if c.get('cert_status') == 'ok'),
"warning": sum(1 for c in certs if c.get('cert_status') == 'warning'),
"critical": sum(1 for c in certs if c.get('cert_status') == 'critical'),
"error": sum(1 for c in certs if c.get('cert_status') == 'error'),
},
"expiring_soon": [c for c in certs if c.get('days_until_expiry', 999) <= 30],
"compliance_pass": all(
c.get('days_until_expiry', 0) > 7 for c in certs
if c.get('cert_status') != 'error'
),
}
return report
# reporter = CertComplianceReport()
# report = reporter.generate_report()
# print(json.dumps(report, indent=2))
"""
def show_checks(self):
print("=== Compliance Checks ===\n")
for key, check in self.COMPLIANCE_CHECKS.items():
print(f"[{check['name']}]")
print(f" Rule: {check['rule']}")
print(f" Frequency: {check['frequency']}")
print()
def show_script(self):
print("=== Compliance Script ===")
print(self.AUTOMATION_SCRIPT[:500])
compliance = CertCompliance()
compliance.show_checks()
compliance.show_script()FAQ - คำถามที่พบบ่อย
Q: ELK Stack กับ Grafana/Loki อันไหนดีกว่าสำหรับ cert logs?
A: ELK: full-text search ดีกว่า, complex queries, mature ecosystem, Kibana dashboards สวย Grafana/Loki: lightweight กว่า, ถูกกว่า (ไม่ต้อง index ทุก field), integrate กับ Prometheus ดี เลือก ELK: ถ้าต้องการ full-text search + complex analytics + compliance reporting เลือก Loki: ถ้ามี Grafana อยู่แล้ว + ต้องการ cost-efficient log storage
Q: Certificate logs เก็บนานแค่ไหน?
A: ขึ้นกับ compliance: PCI DSS: 1 ปี SOC 2: 1 ปี+ HIPAA: 6 ปี ทั่วไป: 1-2 ปี ELK: ใช้ ILM (Index Lifecycle Management) — hot → warm → cold → delete อัตโนมัติ ประหยัด storage: compress old indices, move to cold storage (S3)
Q: Filebeat กับ Logstash ต่างกันอย่างไร?
A: Filebeat: lightweight log shipper — อ่าน files แล้วส่งต่อ (CPU/RAM น้อย) Logstash: full data pipeline — parse, transform, enrich logs (CPU/RAM มากกว่า) ใช้ร่วมกัน: Filebeat (บน servers) → Logstash (centralized) → Elasticsearch หรือ: Filebeat → Elasticsearch โดยตรง (ถ้าไม่ต้อง complex parsing)
Q: Monitor certificates กี่ domains ได้ใน ELK?
A: ไม่จำกัด — ขึ้นกับ Elasticsearch cluster size 100-500 domains: single node เพียงพอ 500-5000 domains: 3-node cluster แนะนำ 5000+ domains: multi-node cluster + dedicated master nodes Check ทุก 1 ชั่วโมง: 500 domains × 24 checks = 12,000 documents/day — เล็กมากสำหรับ Elasticsearch