Splunk AppDynamics
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk AppDynamics
- :
- Re: Help on instrumenting AppDynamics Java Agent i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help on instrumenting AppDynamics Java Agent into Elasticsearch
Marcos_R
New Member
04-26-2023
07:42 AM
Hi everyone!
Currently we are trying to instrument the Java agent of AppDynamics in a Elasticsearch running on Kubernetes.
We had a few access denied errors when the Appdynamics agent tried to monitor Elasticsearch, but we resolved most with the following policy:
grant codeBase "file:/opt/appdynamics/-" {
permission java.security.AllPermission;
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "*";
permission java.lang.management.ManagementPermission "monitor";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant {
permission "java.security.SecurityPermission" "*";
permission "java.lang.RuntimePermission" "*";
permission java.io.FilePermission "<<ALL FILES>>","read,write,delete";
permission java.net.SocketPermission "*","accept,connect,resolve,listen";
permission java.util.PropertyPermission "*", "read,write";
permission "java.lang.management.ManagementPermission" "monitor";
permission "java.lang.reflect.ReflectPermission" "*";
permission "javax.management.MBeanServerPermission" "*";
permission "javax.management.MBeanPermission" "*","*";
permission "javax.management.MBeanTrustPermission" "*";
permission java.net.NetPermission "*";
};
However, at times we have the following access denied error that we are unable to resolve:
access: access denied ("java.lang.RuntimePermission" "getClassLoader")
java.lang.Exception: Stack trace
at java.base/java.lang.Thread.dumpStack(Thread.java:1379)
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2058)
at java.base/java.lang.Class.getClassLoader(Class.java:836)
at com.appdynamics.appagent/com.singularity.ee.agent.appagent.services.bciengine.transformation.AnonymousClassDefTransformer.classDefTrap(AnonymousClassDefTransformer.java:61)
at com.singularity.ee.agent.appagent.entrypoint.bciengine.AnonymousClassDefTransformerBoot.classDefTrap(AnonymousClassDefTransformerBoot.java:31)
at java.base/jdk.internal.misc.Unsafe.defineAnonymousClass(Unsafe.java:1225)
at java.base/java.lang.invoke.InnerClassLambdaMetafactory.spinInnerClass(InnerClassLambdaMetafactory.java:321)
at java.base/java.lang.invoke.InnerClassLambdaMetafactory.buildCallSite(InnerClassLambdaMetafactory.java:189)
at java.base/java.lang.invoke.LambdaMetafactory.metafactory(LambdaMetafactory.java:329)
at java.base/java.lang.invoke.BootstrapMethodInvoker.invoke(BootstrapMethodInvoker.java:127)
at java.base/java.lang.invoke.CallSite.makeSite(CallSite.java:307)
at java.base/java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(MethodHandleNatives.java:259)
at java.base/java.lang.invoke.MethodHandleNatives.linkCallSite(MethodHandleNatives.java:249)
at org.elasticsearch.painless.ScriptClassInfo.<init>(ScriptClassInfo.java:75)
at org.elasticsearch.painless.Compiler.compile(Compiler.java:210)
at org.elasticsearch.painless.PainlessScriptEngine$5.run(PainlessScriptEngine.java:420)
at org.elasticsearch.painless.PainlessScriptEngine$5.run(PainlessScriptEngine.java:416)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at org.elasticsearch.painless.PainlessScriptEngine.compile(PainlessScriptEngine.java:416)
at org.elasticsearch.painless.PainlessScriptEngine.compile(PainlessScriptEngine.java:167)
at org.elasticsearch.script.ScriptService.compile(ScriptService.java:363)
at org.elasticsearch.ingest.common.ScriptProcessor$Factory.create(ScriptProcessor.java:148)
at org.elasticsearch.ingest.common.ScriptProcessor$Factory.create(ScriptProcessor.java:90)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessor(ConfigurationUtils.java:402)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessor(ConfigurationUtils.java:372)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessorConfigs(ConfigurationUtils.java:316)
at org.elasticsearch.ingest.Pipeline.create(Pipeline.java:73)
at org.elasticsearch.ingest.IngestService.innerUpdatePipelines(IngestService.java:515)
at org.elasticsearch.ingest.IngestService.applyClusterState(IngestService.java:259)
at org.elasticsearch.cluster.service.ClusterApplierService.lambda$callClusterStateAppliers$6(ClusterApplierService.java:484)
at java.base/java.lang.Iterable.forEach(Iterable.java:75)
at org.elasticsearch.cluster.service.ClusterApplierService.callClusterStateAppliers(ClusterApplierService.java:481)
at org.elasticsearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:468)
at org.elasticsearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:419)
at org.elasticsearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:163)
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:252)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:215)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:830)
access: access allowed ("java.security.SecurityPermission" "getPolicy")
access: domain that failed ProtectionDomain null
null
<no principals>
java.security.Permissions@5da5ecc6 (
)
access: access denied ("java.lang.RuntimePermission" "getClassLoader")
java.lang.Exception: Stack trace
at java.base/java.lang.Thread.dumpStack(Thread.java:1379)
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2058)
at java.base/java.lang.Class.getClassLoader(Class.java:836)
at com.appdynamics.appagent/com.singularity.ee.agent.appagent.services.bciengine.transformation.AnonymousClassDefTransformer.classDefTrap(AnonymousClassDefTransformer.java:61)
at com.singularity.ee.agent.appagent.entrypoint.bciengine.AnonymousClassDefTransformerBoot.classDefTrap(AnonymousClassDefTransformerBoot.java:31)
at java.base/jdk.internal.misc.Unsafe.defineAnonymousClass(Unsafe.java:1225)
at java.base/java.lang.invoke.InnerClassLambdaMetafactory.spinInnerClass(InnerClassLambdaMetafactory.java:321)
at java.base/java.lang.invoke.InnerClassLambdaMetafactory.buildCallSite(InnerClassLambdaMetafactory.java:189)
at java.base/java.lang.invoke.LambdaMetafactory.metafactory(LambdaMetafactory.java:329)
at java.base/java.lang.invoke.BootstrapMethodInvoker.invoke(BootstrapMethodInvoker.java:127)
at java.base/java.lang.invoke.CallSite.makeSite(CallSite.java:307)
at java.base/java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(MethodHandleNatives.java:259)
at java.base/java.lang.invoke.MethodHandleNatives.linkCallSite(MethodHandleNatives.java:249)
at org.elasticsearch.painless.ScriptClassInfo.<init>(ScriptClassInfo.java:86)
at org.elasticsearch.painless.Compiler.compile(Compiler.java:210)
at org.elasticsearch.painless.PainlessScriptEngine$5.run(PainlessScriptEngine.java:420)
at org.elasticsearch.painless.PainlessScriptEngine$5.run(PainlessScriptEngine.java:416)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at org.elasticsearch.painless.PainlessScriptEngine.compile(PainlessScriptEngine.java:416)
at org.elasticsearch.painless.PainlessScriptEngine.compile(PainlessScriptEngine.java:167)
at org.elasticsearch.script.ScriptService.compile(ScriptService.java:363)
at org.elasticsearch.ingest.common.ScriptProcessor$Factory.create(ScriptProcessor.java:148)
at org.elasticsearch.ingest.common.ScriptProcessor$Factory.create(ScriptProcessor.java:90)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessor(ConfigurationUtils.java:402)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessor(ConfigurationUtils.java:372)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessorConfigs(ConfigurationUtils.java:316)
at org.elasticsearch.ingest.Pipeline.create(Pipeline.java:73)
at org.elasticsearch.ingest.IngestService.innerUpdatePipelines(IngestService.java:515)
at org.elasticsearch.ingest.IngestService.applyClusterState(IngestService.java:259)
at org.elasticsearch.cluster.service.ClusterApplierService.lambda$callClusterStateAppliers$6(ClusterApplierService.java:484)
at java.base/java.lang.Iterable.forEach(Iterable.java:75)
at org.elasticsearch.cluster.service.ClusterApplierService.callClusterStateAppliers(ClusterApplierService.java:481)
at org.elasticsearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:468)
at org.elasticsearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:419)
at org.elasticsearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:163)
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:252)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:215)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:830)
access: access allowed ("java.security.SecurityPermission" "getPolicy")
access: domain that failed ProtectionDomain null
null
<no principals>
java.security.Permissions@5da5ecc6 (
)
access: access denied ("java.lang.RuntimePermission" "getClassLoader")
java.lang.Exception: Stack trace
at java.base/java.lang.Thread.dumpStack(Thread.java:1379)
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2058)
at java.base/java.lang.Class.getClassLoader(Class.java:836)
at com.appdynamics.appagent/com.singularity.ee.agent.appagent.services.bciengine.transformation.AnonymousClassDefTransformer.classDefTrap(AnonymousClassDefTransformer.java:61)
at com.singularity.ee.agent.appagent.entrypoint.bciengine.AnonymousClassDefTransformerBoot.classDefTrap(AnonymousClassDefTransformerBoot.java:31)
at java.base/jdk.internal.misc.Unsafe.defineAnonymousClass(Unsafe.java:1225)
at java.base/java.lang.invoke.InnerClassLambdaMetafactory.spinInnerClass(InnerClassLambdaMetafactory.java:321)
at java.base/java.lang.invoke.InnerClassLambdaMetafactory.buildCallSite(InnerClassLambdaMetafactory.java:189)
at java.base/java.lang.invoke.LambdaMetafactory.metafactory(LambdaMetafactory.java:329)
at java.base/java.lang.invoke.BootstrapMethodInvoker.invoke(BootstrapMethodInvoker.java:127)
at java.base/java.lang.invoke.CallSite.makeSite(CallSite.java:307)
at java.base/java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(MethodHandleNatives.java:259)
at java.base/java.lang.invoke.MethodHandleNatives.linkCallSite(MethodHandleNatives.java:249)
at org.elasticsearch.painless.ScriptClassInfo.methodArgument(ScriptClassInfo.java:180)
at org.elasticsearch.painless.ScriptClassInfo.<init>(ScriptClassInfo.java:99)
at org.elasticsearch.painless.Compiler.compile(Compiler.java:210)
at org.elasticsearch.painless.PainlessScriptEngine$5.run(PainlessScriptEngine.java:420)
at org.elasticsearch.painless.PainlessScriptEngine$5.run(PainlessScriptEngine.java:416)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
at org.elasticsearch.painless.PainlessScriptEngine.compile(PainlessScriptEngine.java:416)
at org.elasticsearch.painless.PainlessScriptEngine.compile(PainlessScriptEngine.java:167)
at org.elasticsearch.script.ScriptService.compile(ScriptService.java:363)
at org.elasticsearch.ingest.common.ScriptProcessor$Factory.create(ScriptProcessor.java:148)
at org.elasticsearch.ingest.common.ScriptProcessor$Factory.create(ScriptProcessor.java:90)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessor(ConfigurationUtils.java:402)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessor(ConfigurationUtils.java:372)
at org.elasticsearch.ingest.ConfigurationUtils.readProcessorConfigs(ConfigurationUtils.java:316)
at org.elasticsearch.ingest.Pipeline.create(Pipeline.java:73)
at org.elasticsearch.ingest.IngestService.innerUpdatePipelines(IngestService.java:515)
at org.elasticsearch.ingest.IngestService.applyClusterState(IngestService.java:259)
at org.elasticsearch.cluster.service.ClusterApplierService.lambda$callClusterStateAppliers$6(ClusterApplierService.java:484)
at java.base/java.lang.Iterable.forEach(Iterable.java:75)
at org.elasticsearch.cluster.service.ClusterApplierService.callClusterStateAppliers(ClusterApplierService.java:481)
at org.elasticsearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:468)
at org.elasticsearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:419)
at org.elasticsearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:163)
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:681)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:252)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:215)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:830)
access: access allowed ("java.security.SecurityPermission" "getPolicy")
access: domain that failed ProtectionDomain null
null
<no principals>
java.security.Permissions@5da5ecc6 (
)When we access the AppDynamics dashboard, we see that Elasticsearch appears online, but the only metrics captured are CPU and memory usage.
Has anyone experienced this problem or instrumented AppDynamics another way, or can you help solve and try to understand this access denied error?
PS:
- The x-pack-security is currently enabled;
- The AppDynamics Java agent is stored in a volume attached for each Elasticsearch node with read and write access;
- We tried to give access to all this access denied error;
- The java policy we created were applied successfully;
- There is no AppDynamics logs in it's workspace about this access denied error;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sunil_Agarwal
Communicator
04-27-2023
08:53 PM
Hi @Marcos.R ,
You can add below snippets to the policy , save the file and restart the ElasticSearch JVM.
permission java.lang.RuntimePermission "getClassLoader";
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Marcos_R
New Member
05-02-2023
01:49 AM
Hi @Sunil.Agarwal,
Thank you for your answer!
I've already tried to add this permission, but the error remains.
Get Updates on the Splunk Community!
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination
Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar
Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
