Lab 3.1: Configuring Metricbeat - squatchulator/Tech-Journal GitHub Wiki

Lab 3.1 - Configuring Metricbeat

Metricbeat is a lightweight shipper that you can install on your servers to periodically collect metrics from the operating system and from services running on the server. Metricbeat takes the metrics and statistics that it collects and ships them to the output that you specify, such as Logstash - or as we will do in this lab, directly to Elasticsearch. Specifically, we will have Metricbeat ship metrics from System and Apache to Elasticsearch and then we can view in Kibana.

Preparation

  • On the Ubuntu server, install Apache2 and visit your server on your private IP and port 80 after entering the following commands. It should be the default landing page:
sudo apt update
sudo apt install apache2 -y
sudo systemctl start apache2
  • Check your time/date on the Ubuntu server with timedatectl and verify it's right. If not, run sudo timedatectl set-timezone America/New_York
  • Double-check Elasticsearch and Kibana are running

Installing Beats

  • To install, run:
sudo apt-get install metricbeat

Configuring Metricbeat

  • Edit the config file after installing with sudo nano /etc/metricbeat/metricbeat.yml. Scroll down to the Kibana section, and uncomment the "#host" line & change "localhost" to your private IP.
  • Now scroll down to the "output.elasticsearch:" section, and change "localhost" to your private IP again.

Metricbeat uses modules to collect metrics. Each module defines the basic logic for collecting data from a specific service. In our lab, we will use "system" which collects basic system metrics (like uptime, cpu...) and apache which collects metrics on the apache service sudo metricbeat modules list|more will show all the supported modules. You should see that "system" is enabled by default.

  • Run sudo metricbeat modules enable apache to enable the Apache module.
  • sudo metricbeat test config -e shows you config info and the output should end with "Config OK".
  • Assuming the config works, run sudo metricbeat setup -e. It may take a while but should finish without errors.

Starting Metricbeat

  • Now, start it up with sudo service metricbeat start.
  • We can go to our Kibana dashboard and look for metricbeat data in the Discover page under the metricbeat-* index pattern.
  • In the Dashboard tab, search for the "[Metricbeat System] Overview ECS" dashboard and select it. It should show some info on the system status.
  • You can also check the status of Apache with the "[Metricbeat Apache] Overview ECS" dashboard.

Metricbeat Analysis

  • If you go back to Discover and view the Metricbeat logs, you can look for entries to monitor, and create search filters.