Collecting Elasticsearch monitoring data with Metricbeatedit

In 6.5 and later, you can use Metricbeat to collect data about Elasticsearch and ship it to the monitoring cluster, rather than routing it through exporters as described in Legacy collection methods.

Example monitoring architecture
  1. Enable the collection of monitoring data.

    Set xpack.monitoring.collection.enabled to true on the production cluster. By default, it is disabled (false).

    You can use the following APIs to review and change this setting:

    GET _cluster/settings
    
    PUT _cluster/settings
    {
      "persistent": {
        "xpack.monitoring.collection.enabled": true
      }
    }

    If Elasticsearch security features are enabled, you must have monitor cluster privileges to view the cluster settings and manage cluster privileges to change them.

    For more information, see Monitoring settings and Cluster update settings.

  2. Install Metricbeat on each Elasticsearch node in the production cluster. Failure to install on each node may result in incomplete or missing results.
  3. Enable the Elasticsearch module in Metricbeat on each Elasticsearch node.

    For example, to enable the default configuration for the Elastic Stack monitoring features in the modules.d directory, run the following command:

    metricbeat modules enable elasticsearch-xpack

    For more information, refer to Elasticsearch module.

  4. Configure the Elasticsearch module in Metricbeat on each Elasticsearch node.

    The modules.d/elasticsearch-xpack.yml file contains the following settings:

      - module: elasticsearch
        xpack.enabled: true
        period: 10s
        hosts: ["http://localhost:9200"] 
        #scope: node 
        #username: "user"
        #password: "secret"
        #ssl.enabled: true
        #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
        #ssl.certificate: "/etc/pki/client/cert.pem"
        #ssl.key: "/etc/pki/client/cert.key"
        #ssl.verification_mode: "full"

    By default, the module collects Elasticsearch monitoring metrics from http://localhost:9200. If that host and port number are not correct, you must update the hosts setting. If you configured Elasticsearch to use encrypted communications, you must access it via HTTPS. For example, use a hosts setting like https://localhost:9200.

    By default, scope is set to node and each entry in the hosts list indicates a distinct node in an Elasticsearch cluster. If you set scope to cluster, each entry in the hosts list indicates a single endpoint for a distinct Elasticsearch cluster (for example, a load-balancing proxy fronting the cluster).

    If Elastic security features are enabled, you must also provide a user ID and password so that Metricbeat can collect metrics successfully:

    1. Create a user on the production cluster that has the remote_monitoring_collector built-in role. Alternatively, use the remote_monitoring_user built-in user.
    2. Add the username and password settings to the Elasticsearch module configuration file.
    3. If TLS is enabled on the HTTP layer of your Elasticsearch cluster, you must either use https as the URL scheme in the hosts setting or add the ssl.enabled: true setting. Depending on the TLS configuration of your Elasticsearch cluster, you might also need to specify additional ssl.* settings.
  5. Optional: Disable the system module in Metricbeat.

    By default, the system module is enabled. The information it collects, however, is not shown on the Monitoring page in Kibana. Unless you want to use that information for other purposes, run the following command:

    metricbeat modules disable system
  6. Identify where to send the monitoring data.

    In production environments, we strongly recommend using a separate cluster (referred to as the monitoring cluster) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.

    For example, specify the Elasticsearch output information in the Metricbeat configuration file (metricbeat.yml):

    output.elasticsearch:
      # Array of hosts to connect to.
      hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] 
    
      # Optional protocol and basic auth credentials.
      #protocol: "https"
      #username: "elastic"
      #password: "changeme"

    In this example, the data is stored on a monitoring cluster with nodes es-mon-1 and es-mon-2.

    If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a hosts setting like https://es-mon-1:9200.

    The Elasticsearch monitoring features use ingest pipelines, therefore the cluster that stores the monitoring data must have at least one ingest node.

    If Elasticsearch security features are enabled on the monitoring cluster, you must provide a valid user ID and password so that Metricbeat can send metrics successfully:

    1. Create a user on the monitoring cluster that has the remote_monitoring_agent built-in role. Alternatively, use the remote_monitoring_user built-in user.
    2. Add the username and password settings to the Elasticsearch output information in the Metricbeat configuration file.

    For more information about these configuration options, see Configure the Elasticsearch output.

  7. Start Metricbeat on each node.
  8. Disable the default collection of Elasticsearch monitoring metrics.

    Set xpack.monitoring.elasticsearch.collection.enabled to false on the production cluster.

    You can use the following API to change this setting:

    PUT _cluster/settings
    {
      "persistent": {
        "xpack.monitoring.elasticsearch.collection.enabled": false
      }
    }

    If Elasticsearch security features are enabled, you must have monitor cluster privileges to view the cluster settings and manage cluster privileges to change them.

  9. View the monitoring data in Kibana.