Brewing in Beats: Monitor Kubernetes with Metricbeat

Welcome to Brewing in Beats! With this weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.

Monitor your Kubernetes ecosystem with Metricbeat

Thanks to Vijay Samuel, who worked closely with Carlos, there is a community contribution to add support for Kubernetes monitoring in Metricbeat. The new module interrogates the kubelets, with more modules planned for the other aspects of Kubernetes. The kubelet is the primary “node agent” that runs on each node in Kubernetes. It gives you details about the running containers and the available pods like the CPU usage, memory usage, bytes exchanged over the network, about filesystem or about the logs capacity.

To get it started, you just need to configure kubelet endpoint and enabled the metricsets you are interested in:

- module: kubelet
metricsets: ["node","container","volume","pod","system"]
hosts: ["localhost:10255"]
enabled: true

The kubelet module is planned to be released in 6.0.

Add processor for exporting timezone

The add_locale processor can be used to add the timezone to events. This can be used to inform downstream systems on how the timestamp fields should be interpreted. The timezone is added in the beat.timezone field, currently not configurable.

- add_locale:

Add DNS dashboards in Packetbeat

We added two new Kibana dashboards to monitor the DNS queries with Packetbeat. An interesting one is about DNS tunneling that was added with this pull request.

dns tunneling.png

Audit logs in Gosigar

Gosigar, which is our library for getting operating specific data, is getting support to get and parse the logs from the Linux audit framework. This is an alternative to the Filebeat module we added last week. Having access to the audit framework from Go code opens a lot of interesting possibilities, for example, capturing short lived processes and connections in Metricbeat.

Other changes in the elastic/beats repository

Affecting all Beats

Changes in master:

  • Downgrade ES bulk item log message #3954
  • libbeat/scripts: make testsuite target re-runnable #3925
  • Dynamically generate template on startup #3681
  • Expose metrics through http endpoint #3717


Changes in master:

  • heartbeat: setup default ports in http monitors #3924


Changes in master:

  • Fix Winlogbeat bug affecting include_xml #3943
  • Fix Winlogbeat test by checking full hostname #3942
  • Remove metrics endpoint in winlogbeat #3901


Changes in master:

  • Fixing panic on prometheus collector when the label has a comma #3947
  • Adding support for custom http headers and TLS for metricbeat modules #3945
  • Remove windows module from the short config file #3936
  • Add new MetricSet interfaces for Module Developers #3908
  • Refactoring config handling for perfmon metricset #3896
  • Add config option to disable or enable cmdline cache for System Process Metricset #3891
  • Remove ApplyNoError from Schema #3872


Changes in master:

  • Add DNS Tunneling dashboard for Packetbeat #3884
  • Add DNS dashboard for Packetbeat #3883


Changes in 5.3:

  • Allow - in Apache access log byte count #3863

Changes in master:

  • Document all fields used in auditd dashboards #3962
  • Filebeat syslog module: support for lines without a program name #3944
  • Rename Filebeat module from system.audit to auditd.log #3941
  • Don't stop Filebeat when modules + logstash are used together #3929
  • Ignore audit fileset on macOS #3923
  • Fix the Syslog search in the Dashboards #3920
  • Fix flaky filebeat test #3914
  • Fix filebeat registrar system test #3899
  • Prospector level processors #3853


Changes in master:

  • dev-tools: add usage to cherrypick_pr #3961
  • New location for the github token #3960
  • Remove testdata from dev-tools/vendor directory #3935
  • Introduce beat version specific environments #3922
  • Update codecov config #3906
  • Update docs on how to use govendor #3876
  • Update docker module to govendor and most recent version #3874
  • Update dev-tools to use govendor #3873
  • dev-tools: run golint/reviewdog in Jenkins #3832


Changes in 5.3:

  • Remove yellow box redirecting users to master for dev docs #3958
  • Add comment about make -j being unsupported #3937
  • Clarify docs around setting the index and @metadata fields #3866,
  • Add step to change file ownership on mac #3870,
  • Fix doc build for conf-file-permissions #3875

Changes in master:

  • Remove outdated content from packetbeat dev guide #3963
  • Clarify module quick start steps #3928
  • Add workaround for Heartbeat install issue #3835