Secure monitoring of Kafka node on Instana

View Only

Secure monitoring of Kafka node on Instana

By Ziyad Bin Sulfi posted 24 days ago

Like

Kafka is a distributed streaming platform that is designed for building real-time data pipelines and streaming applications. It provides a unified, high-throughput, fault-tolerant platform for handling real-time data feeds. Kafka is characterized by its scalability, durability, and low-latency performance, makes an ideal solution for use cases such as event sourcing, log aggregation, stream processing, and data integration. With its distributed architecture, Kafka allows seamless communication and integration between different components of modern data-driven applications, enabling organizations to efficiently process, store, and analyze large volumes of streaming data in real-time.

IBM® Instana Observability is a fully automated Application Performance Management (APM) solution that is designed for the challenges of managing micro-service and cloud-native applications. Instana can monitor Kafka. This blog explains how to enable JMX authentication while starting Kafka and how to configure Instana agent to monitor Kafka while JMX is authenticated.

Setting up Kafka by securing JMX

To set up Kafka by securing JMX for a demo, complete the following steps:

Download the Kafka binaries from https://kafka.apache.org/downloads and extract them to a suitable location on your machine.
Start the ZooKeeper for Kafka.

In the Kafka directory, navigate to the bin folder and run ZooKeeper by executing the following steps:

./zookeeper-server-start.sh ../config/zookeeper.properties

Start Kafka Broker in a new terminal window or tab.
- Add username and password credentials:
  - To secure JMX, go to `jre/lib/management`.
    - For example, `/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.392.b08-2.el7_9.x86_64/jre/lib/management`.

- - Create a new file for username and password.

vi jmxremote.password

- - Add these sample credentials where `monitorRole` is the username and `QED` is the password for JMX.

monitorRole  QED

- - Make this file as read only as shown:

chmod 600 jmxremote.password

- - Open `jmxremote.access` and mention the access type of the username.
  - The access and password files can be placed in different areas.

- - - Note: File path of the access and password files to be given as shown:

-Dcom.sun.management.jmxremote.password.file=/path/to/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/path/to/jmxremote.access

Navigate to the Kafka directory's bin folder.
Change the `KAFKA_OPTS` as shown:

- - Note: The JMX port is modified here; however, altering the JMX port is optional.

export KAFKA_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.port=2020"

Start a Kafka broker on your local machine by executing the following:

./kafka-server-start.sh ../config/server.properties

Installing Instana agent

Install the Instana agent that is tailored to your operating system from the Instana. For example, if you’re using Linux, the installation process involves the following steps:

Note: Agent installation procedures can vary based on the operating system.

For more information, see https://www.ibm.com/docs/en/instana-observability/current?topic=agents-installing-host.

After the Installation of the agent.

Go to the path in which the agent is installed, for example: /opt/instana/agent > edit the configuration.yaml file in the <agent>/etc/instana/configuration.yaml file.