Elastic Stack: Monitor and Troubleshoot Issues with Parallels RAS and ELK Stack

Elastic Slack – If you ever administered a multi-server service, you probably know that monitoring the service and investigating accidents is not a trivial task. The bigger the service, the more distributed data you are surrounded with. Did you ever feel lost in all that data? We at Parallels know how important it is to be in control, and we have experience in system monitoring and troubleshooting that helps us when we develop Parallels® Remote Application Server (RAS). In this blog post, I’ll share this experience with you.

Parallels RAS has many components, including RD Session Host Servers, Publishing Agents, Secure Client Gateways, VDI Agents, and some others. Each component writes a log into its own file. So, when an IT administrator needs to investigate something or when they need to monitor critical event records in a Parallels RAS deployment, they have to deal with multiple log files.

The Parallels team has decided to come up with a solution that would make it easier for our customers and the support team to monitor and troubleshoot issues with Parallels RAS.

Eventually, we settled on Elastic Stack also known as ELK Stack.

In this blog post, I’ll show you how the integration of Parallels RAS with ELK Stack can save you time and make you more productive. I will cover a sample deployment and finish with an overview of log visualization in Kibana.

All configs, Kibana filters, and dashboards (which are necessary for the deployment) are publicly available under the Parallels account on GitHub.

The Parallels team will be happy to hear your feedback about the solution described in this blog post. Also feel free to leave comments on our Parallels forum.

Let’s see what a typical Kibana dashboard, pre-configured by the Parallels team, looks like.

  1. Monitor critical events related to client connections.

Elastic Stack      2. Monitor overall installation health and react on new errors before users start to complain.

Elastic Stack     3. Browse logs from a single place and filter all the records around the one that is interesting to you at the moment.

Elastic Slack

Let’s move on to the deployment procedure.

The deployment consists of four parts:

  1. Synchronize time on Parallels RAS hosts.
  2. Deploy Elastic Stack.
  3. Prepare Elastic Stack for accepting Parallels RAS events.
  4. Deploy the Filebeat service on Parallels RAS servers.

Elastic Stack: Synchronize Time on Parallels RAS Hosts

It is important that each host sends out log data using a correct timestamp. Otherwise log records from different hosts may display in the wrong order. You should make sure that the time is synchronized on all servers that will be sending log data to ELK Stack.

Here is the official guide from Microsoft that explains how to do this.

Elastic Stack: Deploy an ELK

For this demo, I’ll use a template available from Bitnami in Azure Marketplace.

You may deploy your own on-premises virtual machine for this. If you do, please follow the Elastic guides and install Elasticsearch, Kibana, and Logstash.

We don’t need any specific settings to ELK services besides those that are listed in this guide.

  1. Create a resource group in Azure and deploy the Bitnamy ELK template from Azure marketpace.
  2. Once the VM is provisioned, add an inbound port rule in the VM network configuration. In this example, we will open logstash port only: 5044. This is how it should look in Azure:

Elastic Stack     3. Find and note the Kibana user password in the serial log in the “Boot diagnostics” sections of the VM.

Elastic Stack

Elastic Stack: Configure Logstash

    1. Log in to the VM using SSH.
    2. Stop Logstash service.
      • Bitnami appliance:

bitnami@ELK-VM:~$ sudo /opt/bitnami/ctlscript.sh stop logstash

Unmonitored logstash

/opt/bitnami/logstash/scripts/ctl.sh : logstash stopped

      • Manually installed ELK:

root@ELK-VM:~$ sudo service logstash stop

  1. Change logstash config with the one prepared for Parallels RAS: https://raw.githubusercontent.com/Parallels/RAS-ELK/master/ELK%20configs/logstash.conf bitnami@ELK-VM:~$ cd /opt/bitnami/logstash/conf/bitnami@ELK-VM:/opt/bitnami/logstash/conf$ sudo mv logstash.conf ~/logstash.conf.oldbitnami@ELK-VM:/opt/bitnami/logstash/conf$ sudo wget “https://raw.githubusercontent.com/Parallels/RAS-ELK/master/ELK%20configs/logstash.conf” -O        ./logstash.conf

    –2018-03-15 16:49:41–  https://raw.githubusercontent.com/Parallels/RAS-ELK/master/ELK%20configs/logstash.conf

    Resolving raw.githubusercontent.com (raw.githubusercontent.com)…

    Connecting to raw.githubusercontent.com (raw.githubusercontent.com)||:443… connected.

    HTTP request sent, awaiting response… 200 OK

    Length: 5103 (5.0K) [text/plain]

    Saving to: ‘./logstash.conf’

    ./logstash.conf           100%[=====================================>]   4.98K  –.-KB/s    in 0.001s

    2018-03-15 16:49:41 (6.63 MB/s) – ‘./logstash.conf’ saved [5103/5103]

  2. Start Logstash

         bitnami@ELK-VM:/opt/bitnami/logstash/conf$ sudo /opt/bitnami/ctlscript.sh start logstash

/opt/bitnami/logstash/scripts/ctl.sh : logstash started

Monitored logstash

root@ELK-VM:~$ sudo service logstash start

Elastic Stack: Configure Filebeat

Filebeat is a component that will send logs from a server to logstash on your ELK Stack VM. Filebeat just reads existing logs and doesn’t modify them. It should be installed and configured the same way on every server in your Parallels RAS installation.

    1. Download Filebeat to a server.
    2. Extract the archive content to “Program files\filebeat”.
    3. Download the Parallels RAS Filebeat config.
    4. Correct config according to your environment.
      a. Find the following section of the yml

Elastic Stack        b. Change it with your ELK Stack VM public IP.

  1. Unblock “install-service-filebeat.ps1”a. Right-click on the script and choose Properties.b. Find and check the “Unblock” checkbox at the bottom of the window.c. Click Apply.
  2. Install and start the Filebeat service using the script from PowerShell.

Elastic Stack

Elastic Stack: Configure Kibana

  1. Enable remote access to Kibana in kibana.yml if you installed ELK by yourself.
    a. Add host: “<Public VM IP>”
  2. Log in to Kibana from your browser: https://<Public VM IP>
    a.Click Login to the admin console.
    b. Use the credentials noted during the ELK Stack deployment.
  3. Once logged in to Kibana, you’ll see the configuration page. It needs indexes to be configured in order to start working with the data. Let’s create one.
  4. Step 1 of 2: Define the index pattern. You pattern should cover all the indexes created from Filebeat. In our case it should look like “filebeat-*”
    Elastic Stack
  5. Step 2 of 2: Configure settings.
    All you need to define here is a Time Filter field name. In our case, it’s @timestamp.

Now you can start using Kibana to list and monitor Parallels RAS logs.


If you have a lot of logs then it may take a significant amount of time to upload and index all of them. It means that you won’t see everything in Kibana at this time, but new data will appear over time until it’s all uploaded and processed.

I suggest you start with a set of Dashboards and Filters prepared by us:

  1. Download a set of filters, visualizations, and dashboards:
    a. Download the following json file: https://raw.githubusercontent.com/Parallels/RAS-ELK/master/ELK%20filters/RAS%20-%20SAMPLE%20-%20EVERYTHING.json
    b. Open Management -> Saved Objects
    c. Click the Import button and select the json file from Step A.
  2.  Open Dashboards and check what you’ve got.
  3. Try to use search, to find any events you’re interested in.

I hope this article helps you to save some time and nerves while investigating any issues or monitoring your Parallels RAS installations. I found having all the Parallels RAS logs in a single place very handy and even forgot when I last visited hosts for logs. Again, please feel free to share your ideas with us at Parallels Forum or even send us your changes to Parallels GIT.

Elastic Stack: Known Issue

Parallels RAS logs events in a local time zone. You can specify a server time zone in the Filebeat config.