Monitoring in a production environmentedit

By default, X-Pack monitoring agents on Elasticsearch index data into the cluster where they’re running. In production, you should send data to a separate monitoring cluster so that historical monitoring data is available even if the nodes you are monitoring are not. Using a dedicated monitoring cluster also enables you to monitor multiple clusters from a central location.

To store monitoring data in a separate cluster:

  1. Set up the Elasticsearch cluster you want to use for monitoring. For example, you might set up a two host cluster with the nodes es-mon-1 and es-mon-2.

    Note

    To monitor an Elasticsearch 6.x cluster, you must run Elasticsearch 6.x on the monitoring cluster.

  2. Configure X-Pack monitoring in Kibana.

    Note

    Kibana makes requests to the monitoring cluster as the logged in user. The username and password credentials must therefore be valid on both the Kibana server and the monitoring cluster.

  3. Create a user on the monitoring cluster that has the remote_monitoring_agent role. These credentials will be used when data is shipped from the Elasticsearch cluster you are monitoring to your dedicated monitoring cluster. For example, the following request creates a remote_monitor user that has the remote_monitoring_agent role:

    POST /_xpack/security/user/remote_monitor
    {
      "password" : "changeme",
      "roles" : [ "remote_monitoring_agent"],
      "full_name" : "Internal Agent For Remote Monitoring"
    }
  4. Configure each Elasticsearch node in the cluster you are monitoring to send metrics to your monitoring cluster by configuring an HTTP exporter in the xpack.monitoring.exporters settings in elasticsearch.yml.

    xpack.monitoring.exporters:
      id1:
        type: http
        host: ["http://es-mon-1:9200", "http://es-mon2:9200"] 
        auth.username: remote_monitor 
        auth.password: changeme

    If SSL/TLS is enabled on the monitoring cluster, you must connect through HTTPS.

    If X-Pack security is disabled on the monitoring cluster, you can omit auth.username and auth.password.

  5. If SSL/TLS is enabled on the monitoring cluster, specify the trusted CA certificate(s) that will be used to verify the identity of the nodes in the monitoring cluster.

    To add a CA certificate to an Elasticsearch node’s trusted certificates, you can specify the location of the PEM encoded certificate with the certificate_authorities setting:

    xpack.monitoring.exporters:
      id1:
        type: http
        host: ["https://es-mon1:9200", "https://es-mon2:9200"]
        auth:
          username: agent-user
          password: password
        ssl:
          certificate_authorities: [ "/path/to/ca.crt" ]

    Alternatively, you can configure trusted certificates using a truststore (a Java Keystore file that contains the certificates):

    xpack.monitoring.exporters:
      id1:
        type: http
        host: ["https://es-mon1:9200", "https://es-mon2:9200"]
        auth:
          username: remote_monitor
          password: changeme
        ssl:
          truststore.path: /path/to/file
          truststore.password: password
  6. Restart Elasticsearch on the nodes in your production cluster.

    Tip

    You may want to temporarily disable shard allocation before you restart your nodes to avoid unnecessary shard reallocation during the install process.

  7. To verify your X-Pack monitoring installation, point your web browser at your Kibana host, and select Monitoring from the side navigation. When security is enabled, to view the monitoring dashboards you must log in to Kibana as a user who has both the kibana_user and monitoring_user roles. For example:

    POST /_xpack/security/user/stack-monitor
    {
      "password" : "changeme",
      "roles" : [ "kibana_user", "monitoring_user" ]
    }