WARNING: Version 6.0 of Metricbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« System process summary metricset vSphere module »
Elastic Docs Metricbeat Reference [6.0] Modules System module

System socket metricset

edit

System socket metricset

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This metricset is available on Linux only and requires kernel 2.6.14 or newer.

The system socket metricset reports an event for each new TCP socket that it sees. It does this by polling the kernel periodically to get a dump of all sockets. You set the polling interval by configuring the period option. Specifying a short polling interval with this metricset is important to avoid missing short-lived connections. For example:

metricbeat.modules:
- module: system
  metricsets: [cpu, memory]
- module: system
  metricsets: [socket] 
  period: 1s

You can configure the socket metricset separately to specify a different period value than the other metricsets.

The metricset reports the process that has the socket open. In order to provide this information, Metricbeat must be running as root. Root access is also required to read the file descriptor information of other processes.

Configuration

edit
- module: system
  metricsets: [socket]
  socket.reverse_lookup.enabled: false
  socket.reverse_lookup.success_ttl: 60s
  socket.reverse_lookup.failure_ttl: 60s
socket.reverse_lookup.enabled
You can configure the metricset to perform a reverse lookup on the remote IP, and the returned hostname will be added to the event and cached. If a hostname is found, then the eTLD+1 (effective top-level domain plus one level) value will also be added to the event. Reverse lookups are disabled by default.
socket.reverse_lookup.success_ttl
The results of successful reverse lookups are cached for the period of time defined by this option. The default value is 60s.
socket.reverse_lookup.failure_ttl
The results of failed reverse lookups are cached for the period of time defined by this option. The default value is 60s.

Fields

edit

For a description of each field in the metricset, see the exported fields section.

Here is an example document generated by this metricset:

{
    "@timestamp": "2016-05-23T08:05:34.853Z",
    "beat": {
        "hostname": "host.example.com",
        "name": "host.example.com"
    },
    "metricset": {
        "module": "system",
        "name": "socket",
        "rtt": 115
    },
    "system": {
        "socket": {
            "direction": "listening",
            "family": "ipv6",
            "local": {
                "ip": "::",
                "port": 42061
            },
            "process": {
                "cmdline": "/tmp/go-build519327234/github.com/elastic/beats/metricbeat/module/system/socket/_test/socket.test -test.v=true -data",
                "command": "socket.test",
                "exe": "/tmp/go-build519327234/github.com/elastic/beats/metricbeat/module/system/socket/_test/socket.test",
                "pid": 2025
            },
            "user": {
                "id": 0,
                "name": "root"
            }
        }
    },
    "type": "metricsets"
}
« System process summary metricset vSphere module »