You can use Metricbeat to collect data about Logstash and ship it to the monitoring cluster. The benefit of Metricbeat collection is that the monitoring agent remains active even if the Logstash instance does not.
To collect and ship monitoring data:
Want to use Elastic Agent instead? Refer to Elastic Agent collection.
Disable default collection of Logstash monitoring metricsedit
monitoring setting is in the Logstash configuration file (logstash.yml), but is
# at the beginning of the line to enable the setting.
To bind the metrics of Logstash to a specific cluster, optionally define the
in the configuration file (logstash.yml):
Install and configure Metricbeatedit
- Install Metricbeat on the same server as Logstash.
logstash-xpackmodule in Metricbeat.
To enable the default configuration in the Metricbeat
deb or rpm:
metricbeat modules enable logstash-xpack
linux or mac:
./metricbeat modules enable logstash-xpack
PS > .\metricbeat.exe modules enable logstash-xpack
For more information, see Specify which modules to run and beat module.
logstash-xpackmodule in Metricbeat.
modules.d/logstash-xpack.ymlfile contains these settings:
- module: logstash metricsets: - node - node_stats period: 10s hosts: ["localhost:9600"] #username: "user" #password: "secret" xpack.enabled: true
passwordto authenticate with Logstash. For other module settings, it’s recommended that you accept the defaults.
By default, the module collects Logstash monitoring data from
To monitor multiple Logstash instances, specify a list of hosts, for example:
Elastic security. The Elastic security features are enabled by default. You must provide a user ID and password so that Metricbeat can collect metrics successfully:
Create a user on the production cluster that has the
passwordsettings to the module configuration file (
- Create a user on the production cluster that has the
Optional: Disable the system module in the Metricbeat.
By default, the system module is enabled. The information it collects, however, is not shown on the Stack Monitoring page in Kibana. Unless you want to use that information for other purposes, run the following command:
metricbeat modules disable system
Identify where to send the monitoring data.
In production environments, we strongly recommend using a separate cluster (referred to as the monitoring cluster) to store the data. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster.
For example, specify the Elasticsearch output information in the Metricbeat configuration file (
output.elasticsearch: # Array of hosts to connect to. hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] # Optional protocol and basic auth credentials. #protocol: "https" #username: "elastic" #password: "changeme"
If you configured the monitoring cluster to use encrypted communications, you must access it via HTTPS. For example, use a
The Elasticsearch monitoring features use ingest pipelines, therefore the cluster that stores the monitoring data must have at least one ingest node.
Elastic security. The Elastic security features are enabled by default. You must provide a user ID and password so that Metricbeat can send metrics successfully:
Create a user on the monitoring cluster that has the
remote_monitoring_agentbuilt-in role. Alternatively, use the
If you’re using index lifecycle management, the remote monitoring user requires additional privileges to create and read indices. For more information, see
passwordsettings to the Elasticsearch output information in the Metricbeat configuration file.
For more information about these configuration options, see Configure the Elasticsearch output.
- Start Metricbeat to begin collecting monitoring data.
- View the monitoring data in Kibana.
Your monitoring setup is complete.
Intro to Kibana
ELK for Logs & Metrics