New Relic

JFrog Platform Administration Documentation

ft:sourceType
Paligo

JFrog supports integration with New Relic, a SaaS-based data analytics platform, for log analytics and real-time observability. Using this integration, you can collect logs, violations and metrics from the JFrog Platform to understand the usage of artifacts and repositories across your organization, monitor system performance of platform services, and analyze storage consumption, errors, and connection statistics associated with your deployment. In addition, the violations data from JFrog Xray provide actionable insights into the license and security vulnerabilities impacting your artifacts and components.

Note

You must follow the order of the steps throughout the New Relic configuration.

New Relic Setup

New Relic setup can be done by going through the onboarding steps below or by using license key directly, if one exists. If a license key exists, use the New Relic Fluentd plugin to forward logs, violations and metrics directly to your New Relic account.

  1. Create an account in New Relic

  2. From the account dropdown, click API keys

  3. Copy the license key which is also referenced in the UI as ingest - license

New Relic Environment Configuration

We rely heavily on environment variables so that the correct log files are streamed to your observability dashboards. Ensure that you set the JF_PRODUCT_DATA_INTERNAL environment variable to the correct path for your product.

The environment variable JF_PRODUCT_DATA_INTERNAL must be defined to the correct location.

Helm-based installs will already have this defined based on the underlying Docker images.

For non-k8s-based installations, below is a reference to the Docker image locations per product. Note these locations may be different based on the chosen installation location.

Product

Command

Artifactory

export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/artifactory/

Xray

export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/xray/

Nginx

export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/nginx/

Mission Control

export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/mc/

Distribution

export JF_PRODUCT_DATA_INTERNAL=/var/opt/jfrog/distribution/

Pipelines

export JF_PRODUCT_DATA_INTERNAL=/opt/jfrog/pipelines/var/

Fluentd Installation for New Relic
Install Fluentd in OS/Virtual Machine for New Relic

Ensure that you have access to the Internet from the VM. Recommended install is through fluentd's native OS-based package installs:

**For Gem-based install, Ruby Interpreter has to be set up first. Following is the recommended process to install Ruby:

  1. Install Ruby Version Manager (RVM) as described here. Verify that you follow all the onscreen instructions provided to complete the RVM installation.

    • For installation across users, a SUDO-based install is recommended. The installation is as described here.

  2. Once RVM installation is complete, execute the command rvm -v to verify the installation executing.

  3. Now install ruby v2.7.0 or above executing the command rvm install <ver_num>, ex: rvm install 2.7.5.

  4. Verify the ruby installation. Execute ruby -v, gem installation gem -v and bundler -v to ensure all the components are intact.

  5. Post completion of Ruby, Gems installation, the environment is ready to further install new gems. Execute the following gem install commands one after the other to set up the needed ecosystem:

    gem install fluentd

After FluentD is successfully installed, the below plugins are must be installed:

'gem install fluent-plugin-newrelic'
'gem install fluent-plugin-jfrog-siem'
'gem install fluent-plugin-jfrog-metrics'
'gem install fluent-plugin-jfrog-send-metrics'

Configurefluent.conf.* according to the instructions mentioned in the ??? section and then run the fluentd wrapper with one argument pointed to the fluent.conf.* file configured.

./fluentd $JF_PRODUCT_DATA_INTERNAL/fluent.conf.<product_name>
Install Fluentd in Docker for New Relic

To run fluentd as a Docker image to send the log, siem and metrics data to New Relic, the following commands must be executed on the host that runs the Docker.

  1. Check the Docker installation is functional. Execute the commands docker version and docker ps.

  2. Once the version and processes are listed successfully, build the intended Docker image for the observability platform using the Docker file.

    • Download Dockerfile from here to any directory that has write permissions.

  3. Download the Dockerenvfile_<observability_platform>.txt file needed to run Jfrog/FluentD Docker Images for the intended observability platform.

    • Download Dockerenvfile_newrelic.txt from here to the directory where the Docker file was downloaded.

Note

For New Relic as the observability platform, execute these commands to setup the docker container running the fluentd installation:

  1. Execute 'docker build --build-arg SOURCE="JFRT" --build-arg TARGET="NEWRELIC" -t <image_name>.'

    Command example:

    'docker build --build-arg SOURCE="JFRT" --build-arg TARGET="NEWRELIC" -t jfrog/fluentd-newrelic-rt .'

    The above command will build the docker image.

  2. Fill the necessary information in the Dockerenvfile_newrelic.txt file, if the value for any of the field requires to have a '/' use '\/' and if '\' is required use '\\'.

  3. Execute 'docker run -it --name jfrog-fluentd-newrelic-rt -v <path_to_logs>:/var/opt/jfrog/artifactory --env-file Dockerenvfile_newrelic.txt <image_name>'

    The <path_to_logs> should be an absolute path where the Jfrog Artifactory Logs folder resides, i.e for an Docker-based Artifactory Installation. Example: /var/opt/jfrog/artifactory/var/logs on the Docker host.

    Command example:

    'docker run -it --name jfrog-fluentd-newrelic-rt -v /var/opt/jfrog/artifactory/var:/var/opt/jfrog/artifactory --env-file Dockerenvfile_newrelic.txt jfrog/fluentd-newrelic-rt'

New Relic Kubernetes Deployment with Helm

Recommended installation for Kubernetes is to utilize the helm chart with the associated values.yaml in this repo.

Product

Example Values File

Artifactory

helm/artifactory-values.yaml

Artifactory HA

helm/artifactory-ha-values.yaml

Xray

helm/xray-values.yaml

Update the values.yaml associated to the product you want to deploy with your New Relic settings.

Then deploy the helm chart as described below:

Add JFrog Helm repository:

helm repo add jfrog https://charts.jfrog.io
helm repo update

Replace placeholders with your masterKey and joinKey. To generate each of them, use the command openssl rand -hex 32

Artifactory:

  • Replace the newrelic_licensekey in newrelic.licensekey at the end of the yaml file with License key copied from New Relic in New Relic Setup

  • Replace the jpd_url in jfrog.observability.metrics.jpd_url with Artifactory JPD URL (note - if deployed on K8s use the localhost and port number combination per sidecar)

  • Replace the jfrog_user in jfrog.observability.metrics.username with Artifactory username for authentication

  • Replace the jfrog_api_key in jfrog.observability.metrics.apikey with an API Key.

  • Replace the jfrog_access_token in jfrog.observability.metrics.accesstoken with a scoped token

  • Replace common_jpd_value in jfrog.observability.metrics.common_jpd with true for non-kubernetes installations or installations where JPD base URL is same to access both Artifactory and Xray (ex: https://sample_base_url/artifactory or https://sample_base_url/xray). Default value is false

    helm upgrade --install artifactory  jfrog/artifactory \
           --set artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \
           --set artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE \
           -f helm/artifactory-values.yaml

Artifactory-HA

For HA installation, create a license secret on your cluster prior to installation:

               kubectl create secret generic artifactory-license --from-file=<path_to_license_file>artifactory.cluster.license 

            

Note

Replace placeholders with your masterKey and joinKey. To generate each of them, use the command openssl rand -hex 32

  • Replace the newrelic_licensekey in newrelic.licensekey at the end of the yaml file with License key copied from New Relic in New Relic Setup

  • Replace the jpd_url in jfrog.observability.metrics.jpd_url with the Artifactory JPD URL (note - if deployed on K8s use the localhost and port number combination per sidecar)

  • Replace the jfrog_user in jfrog.observability.metrics.username with the Artifactory username for authentication

  • Replace the jfrog_api_key in jfrog.observability.metrics.apikey with an API Key.

  • Replace the jfrog_access_token in jfrog.observability.metrics.accesstoken with a scoped token

  • Replace the common_jpd_value in jfrog.observability.metrics.common_jpd with true for non-kubernetes installations or installations where JPD base URL is same to access both Artifactory and Xray (ex: https://sample_base_url/artifactory or https://sample_base_url/xray). The default value is false

    helm upgrade --install artifactory-ha  jfrog/artifactory-ha \
           --set artifactory.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \
           --set artifactory.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE \
           -f helm/artifactory-ha-values.yaml

Xray

Update the following fields in /helm/xray-values.yaml:

  • Replace the newrelic_licensekey in newrelic.licensekey at the end of the yaml file with License key copied from New Relic in New Relic Setup

  • Replace jpd_url in jfrog.observability.jpd_url with Artifactory JPD URL (note - if deployed on K8s use the localhost and port number combination per sidecar)

  • Replace jfrog_user in jfrog.observability.username with Artifactory username for authentication

  • Replace jfrog_api_key in jfrog.observability.apikey with an API Key.

  • Use the same joinKey as you used in Artifactory installation to allow Xray node to successfully connect to Artifactory.

    helm upgrade --install xray jfrog/xray --set xray.jfrogUrl=http://my-artifactory-nginx-url \ --set xray.masterKey=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \ --set xray.joinKey=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE \ -f helm/xray-values.yaml
Fluentd Configuration for New Relic

Download and configure the relevant fluentd.conf files for New Relic

Configuration Steps for Artifactory

in the Environment Configuration section.

cd $JF_PRODUCT_DATA_INTERNAL
wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.rt
Logs data

Override the match directive (jfrog.**) of the downloaded fluent.conf.rt to send logs data to New Relic:

<match jfrog.**>
  @type newrelic
  license_key LICENSE_KEY
  logtype "jfrog_artifactory_logs"
</match>

Required: LICENSE_KEY is the License Key from New Relic in New Relic Setup.

OpenMetrics data

Override the source directive of the downloaded fluent.conf.rt in order to source metrics from Artifactory:

<source>
  @type jfrog_metrics
  @id metrics_http_jfrt
  tag jfrog.metrics.artifactory
  interval 5s
  metric_prefix 'jfrog.artifactory'
  jpd_url JPD_URL
  username ADMIN_USERNAME
  apikey JFROG_API_KEY
  token JFROG_ACCESS_TOKEN
  target_platform "NEWRELIC"
  common_jpd COMMON_JPD
</source>

Required:

  • JPD_URL is the Artifactory JPD URL of the format http://<ip_address>

  • ADMIN_USERNAME is the Artifactory username for authentication

  • JFROG_API_KEY is the API Key for authentication

  • JFROG_ACCESS_TOKEN is the scoped token

  • COMMON_JPD is true for non-kubernetes installations or installations where JPD base URL is same to access both Artifactory and Xray (ex: https://sample_base_url/artifactory or https://sample_base_url/xray). Default value is false

Override the match directive of the downloaded fluent.conf.rt in order to send metrics to New Relic:

<match jfrog.metrics.**>
  @type jfrog_send_metrics
  target_platform "NEWRELIC"
  apikey LICENSE_KEY
  url "https://metric-api.newrelic.com/metric/v1"
</match>

Required:

Configuration Steps for Xray

Download the Xray fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in the Environment Configuration section.

cd $JF_PRODUCT_DATA_INTERNAL
wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.xray
Logs and Violation data

Override the source directive of the downloaded fluent.conf.xray to pull Xray Violations:

<source>
  @type jfrog_siem
  tag jfrog.xray.siem.vulnerabilities
  jpd_url JPD_URL
  username ADMIN_USERNAME
  apikey JFROG_API_KEY
  pos_file_path "#{ENV['JF_PRODUCT_DATA_INTERNAL']}/log/jfrog_siem.log.pos"
  from_date "2016-01-01"
</source>

Required:

  • JPD_URL is the Artifactory JPD URL of the format http://<ip_address> with is used to pull Xray Violations

  • ADMIN_USERNAME is the Artifactory username for authentication

  • JFROG_API_KEY is the API Key for authentication

Optional: If not specified, value is set to current date. Setting from_date value will result in violations from the specified date

Override the match directive of the downloaded fluent.conf.xray to send Logs and Violations to New Relic:

<match jfrog.**>
  @type newrelic
  license_key LICENSE_KEY
  logtype "jfrog_artifactory_logs"
</match>

Required: LICENSE_KEY is the License Key from New Relic in New Relic Setup.

OpenMetrics data

Override the source directive of the downloaded fluent.conf.xray in order to source metrics from Xray:

<source>
  @type jfrog_metrics
  @id metrics_http_jfrt
  tag jfrog.metrics.xray
  interval 5s
  metric_prefix 'jfrog.xray'
  jpd_url JPD_URL
  username ADMIN_USERNAME
  apikey JFROG_API_KEY
  target_platform "NEWRELIC"
</source>

Required:

  • JPD_URL is the Artifactory JPD URL of the format http://<ip_address> with is used to pull Xray Violations

  • ADMIN_USERNAME is the Artifactory username for authentication

  • JFROG_API_KEY is the API Key for authentication

Override the match directive of the downloaded fluent.conf.rt in order to send metrics to New Relic:

<match jfrog.metrics.**>
  @type jfrog_send_metrics
  target_platform "NEWRELIC"
  apikey LICENSE_KEY
  url "https://metric-api.newrelic.com/metric/v1"
</match>

Required:

Configuration Steps for Nginx

Download the Nginx fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in the Environment Configuration section.

cd $JF_PRODUCT_DATA_INTERNAL
wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.nginx

Override the match directive(last section) of the downloaded fluent.conf.nginx with the details given below:

<match jfrog.**>
  @type newrelic
  license_key LICENSE_KEY
  logtype "jfrog_nginx_logs"
</match>

Required: LICENSE_KEY is the License Key from New Relic in New Relic Setup

Configuration Steps for Mission Control

Download the Mission Control fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in the Environment Configuration section

cd $JF_PRODUCT_DATA_INTERNAL
wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.missioncontrol

Override the match directive(last section) of the downloaded fluent.conf.missioncontrol with the details given below:

<match jfrog.**>
  @type newrelic
  license_key LICENSE_KEY
  logtype "jfrog_missioncontrol_logs"
</match>

Required: LICENSE_KEY is the License Key from New Relic in New Relic Setup.

Configuration Steps for Distribution

Download the distribution fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in the Environment Configuration section.

cd $JF_PRODUCT_DATA_INTERNAL
wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.distribution
Override the match directive(last section) of the downloadedfluent.conf.distributionwith the details given below:
<match jfrog.**>
  @type newrelic
  license_key LICENSE_KEY
  logtype "jfrog_distribution_logs"
</match>

Required: LICENSE_KEY is the License Key from New Relic in New Relic Setup.

Configuration Steps for Pipelines

Download the pipelines fluentd configuration file to a directory the user has permissions to write, such as the $JF_PRODUCT_DATA_INTERNAL locations discussed above in the Environment Configuration section.

cd $JF_PRODUCT_DATA_INTERNAL
wget https://raw.githubusercontent.com/jfrog/log-analytics-newrelic/master/fluent.conf.pipelines
Override the match directive(last section) of the downloadedfluent.conf.pipelineswith the details given below:
<match jfrog.**>
  @type newrelic
  license_key LICENSE_KEY
  logtype "jfrog_pipelines_logs"
</match>

Required: LICENSE_KEY is the License Key from New Relic in New Relic Setup.

Dashboards
Artifactory dashboard

JFrog Artifactory Dashboard is divided into three sections: Application, Audit, Requests and Docker.

  • Application - This section tracks Log Volume (information about different log sources) and Artifactory Errors over time (bursts of application errors that may otherwise go undetected).

  • Audit - This section tracks audit logs that help you determine who is accessing your Artifactory instance and from where. These can help you track potentially malicious requests or processes (such as CI jobs) using expired credentials.

  • Requests - This section tracks HTTP response codes, top 10 IP addresses for uploads and downloads.

  • Docker - To monitor Dockerhub pull requests users should have a Dockerhub account, either paid or free. Free accounts allow up to 200 pull requests per 6-hour window. Various widgets have been added in the new Docker tab under Artifactory to help monitor your Dockerhub pull requests. An alert is also available to enable, if desired, that will allow you to send emails or add outbound webhooks through configuration to be notified when you exceed the configurable threshold.

  • Metrics - To gain insights into the system performance, storage consumption, and connection statistics associated with JFrog Artifactory

Xray dashboard

JFrog Xray Dashboard is divided into three sections: Logs, Violations and Metrics

  • Logs - This dashboard provides a summary of access, service and traffic log volumes associated with Xray. Additionally, customers are also able to track various HTTP response codes, HTTP 500 errors, and log errors for greater operational insight.

  • Violations - This dashboard provides an aggregated summary of all the license violations and security vulnerabilities found by Xray. Information is segment by watch policies and rules. Trending information is provided on the type and severity of violations over time, as well as, insights on most frequently occurring CVEs, top impacted artifacts and components.

  • Metrics - To gain insights into the system performance, storage consumption, connection statistics, count and type of artifacts and components scanned by JFrog Xray.

New Relic Demo Requirements
  • Kubernetes Cluster

  • Artifactory and/or Xray installed via JFrog Helm Charts

  • Helm 3

  • New Relic account setup with license key

Generate Data for Testing

Partner Integration Test Framework can be used to generate data for metrics.

References for New Relic