John Mark Causing

System Administrator | Hosting Support Engineer

[email protected]

Bacolod City, Philippines

+639393497018

John Mark Causing

System Administrator | Hosting Support Engineer

[email protected]

Bacolod City, Philippines

+639393497018

ELK using Multipass (MacOS) + LXD/LXC – Part 4 – Metricbeat (collect and transfer logs)

by | Jul 11, 2021 | elk, linux | 0 comments

In our previous tutorial, we have 3 LXC containers: master-1, data-1 and data-2. Login and ssh to each of those containers and install Filebeat then install it

curl -O https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.13.3-x86_64.rpm
rpm --install metricbeat-7.13.3-x86_64.rpm 
systemctl enable metricbeat

Edit the yml file /etc/metricbeat/metricbeat.yml. These are the only lines I changed from the LXC master-1 (look under “setup.kibana” and “—- Outputs —-)

The IP below is the master-1 host and it’s Kibana port 8080

  host: "10.73.174.25:8080"

Under —- Outputs —-, just change the hostname, port, username and password. The IP below is the master-1 host and the port 9200 is the elasticsearch port service.

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["10.73.174.25:9200"]

  #api_key: "id:api_key"
  username: "elastic"
  password: "password88123818"

Do the same for file beat. Google “Download filebeat rpm” and install like the steps above. Follow the same concept for editing the yml file.

Enable system mode from Filebeat

[root@master-1 ~]# filebeat modules enable system
Enabled system

Push the config for all the enabled modules. Make sure ES and Kibana are up and running. Otherwise, this will fail.

[root@master-1 ~]# filebeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)

Loaded dashboards
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
Loaded machine learning job configurations
Loaded Ingest pipelines

Start the Filebeat service and check the status

[root@master-1 ~]# systemctl start metricbeat
[root@master-1 ~]# systemctl status metricbeat
● metricbeat.service - Metricbeat is a lightweight shipper for metrics.
   Loaded: loaded (/usr/lib/systemd/system/metricbeat.service; disabled; vendor preset: disabled)
  Drop-In: /run/systemd/system/metricbeat.service.d
           └─zzz-lxc-service.conf
   Active: active (running) since Sun 2021-07-11 23:30:47 UTC; 4s ago

Check if Filebeat indexes in ES. Check if it’s properly ingesting data

curl localhost:9200/_cat/indices?v -u elastic

Screenshot above shows it is there with 1083 documents/log events. So the steps above was for the ‘master-1’ node/container.

Do the same for the other containers ‘data-1’ and ‘data-2’

Do you want to say hello? Let me know!

Facebook

Linkedin

[email protected]

+639393497018

Github

Powered by Kinsta Inc. (Managed WordPress Hosting) & Divi Theme  © 2022