Awesome Monitoring Infrastructure Using the Elastic Stack

A presentation at Linux.conf.au 2019 in January 2019 in Christchurch, New Zealand by Mark Walkom

Slide 1

Slide 1

Awesome Monitoring Infrastructure Using the Elastic Stack Mark Walkom @warkolm Karen Carcamo @karencfv www.elastic.co LINUX.CONF.AU LINUX.CONF.AU 21-25 January 2019 | Christchurch | NZ 21-25 January 2019 Christchurch, NZ The Linux of Things The Linux of Things #LCA2019 | @linuxconfau | #LCA2019 @linuxconfau

Slide 2

Slide 2

Please install Docker :) docker pull docker.elastic.co/elasticsearch/elasticsearch:6.5.4 docker.elastic.co/elasticsearch/elasticsearch:6.5.4-oss docker pull docker.elastic.co/kibana/kibana:6.5.4 docker pull docker.elastic.co/kibana/kibana:6.5.4-oss Commands at https://go.es.io/2MjxC9M Slides at https://go.es.io/2FN9ufo LINUX.CONF.AU LINUX.CONF.AU 21-25 January 2019 | Christchurch | NZ 21-25 January 2019 Christchurch, NZ The Linux of Things The Linux of Things #LCA2019 | @linuxconfau | #LCA2019 @linuxconfau

Slide 3

Slide 3

Us! 3

Slide 4

Slide 4

4

Slide 5

Slide 5

https://github.com/markwalkom/bloomsky-on-elastic 5

Slide 6

Slide 6

Elastic Stack Elasticsearch, Kibana, Beats, and Logstash 6

Slide 7

Slide 7

Elastic Stack Elastic Stack Kibana Visualize & Manage Elasticsearch Store, Search, & Analyze Beats Logstash Ingest

Slide 8

Slide 8

● Scalable ● Real-time ● Highly available ● Developer-friendly Elasticsearch ● Versatile storage Heart of the Elastic Stack ● Query & aggregations

Slide 9

Slide 9

QUERY TEMPORAL AGGREGATION GEOSPATIAL GRAPH MACHINE LEARNING

Slide 10

Slide 10

● Visualize and explore ● Manage and monitor ● Share and report ● Developer tools Kibana ● Time-series analysis Window into the Elastic Stack ● Geospatial exploration

Slide 11

Slide 11

All the visualizations you expect, and then some more 11

Slide 12

Slide 12

OOTB dashboards for 50+ (and growing) data sources 12

Slide 13

Slide 13

● Ship from any source ● Transform at the edge ● Docker and k8s ready ● Cloud metadata enrichment Beats ● 70+ community Beats Lightweight data shippers ● 50+ modules

Slide 14

Slide 14

FILEBEAT Log Files METRICBEAT Metrics WINLOGBEAT Window Events PACKETBEAT Network Data HEARTBEAT Uptime Monitoring FUNCTIONBEAT Serverless Monitoring AUDITBEAT Audit Data Plus a growing set of community Beats

Slide 15

Slide 15

Logstash Data processing pipeline ● Flexible ETL engine ● Parse & transform data ● Many inputs & outputs ● Horizontally scalable ● 200+ plugins

Slide 16

Slide 16

Modules Data to dashboards in 5 minutes Turnkey for many formats Automated data parsing Out of the box dashboards Preconfigured ML jobs

Slide 17

Slide 17

Let’s get started 17

Slide 18

Slide 18

Let’s Install Elasticsearch docker pull docker.elastic.co/elasticsearch/elasticsearch:6.5.4 Or docker pull docker.elastic.co/elasticsearch/elasticsearch-oss:6.5.4 • https://www.elastic.co/guide/en/elasticsearch/reference/6.5/docker.html • https://www.docker.elastic.co/ • https://hub.docker.com/_/elasticsearch 18

Slide 19

Slide 19

Let’s Run Elasticsearch docker run -p 9200:9200 -p 9300:9300 -e “discovery.type=single-node” docker.elastic.co/elasticsearch/elasticsearch:6.5.4 Or docker run -d -p 9200:9200 -p 9300:9300 -e “discovery.type=single-node” docker.elastic.co/elasticsearch/elasticsearch:6.5.4 • https://www.elastic.co/guide/en/elasticsearch/reference/6.5/docker.html 19

Slide 20

Slide 20

Let’s docker-compose Elasticsearch version: ‘2.2’ services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:6.5.4 volumes: - esdata:/usr/share/elasticsearch/data ports: - 9200:9200 volumes: esdata: driver: local 20

Slide 21

Slide 21

Let’s (just) Elasticsearch curl 0:9200/_cat/ curl 0:9200/_cat/health curl 0:9200/_cat/indices?v • https://www.elastic.co/guide/en/elasticsearch/reference/6.5/cat.html 21

Slide 22

Slide 22

Kibana Install docker pull docker.elastic.co/kibana/kibana:6.5.4 Or docker pull docker.elastic.co/kibana/kibana-oss:6.5.4 • https://www.elastic.co/guide/en/kibana/6.5/docker.html • https://www.docker.elastic.co/ • https://hub.docker.com/_/kibana 22

Slide 23

Slide 23

Kibana Run docker run docker.elastic.co/kibana/kibana:6.5.4 -p 5601:5601 -e “elasticsearch.url=localhost:9200” • • 23 (wait for it) Open http://localhost:5601/

Slide 24

Slide 24

Let’s docker-compose Kibana kibana: image: docker.elastic.co/kibana/kibana:6.5.4 links: - elasticsearch ports: - 5601:5601 • 24 Use the complete Docker compose file in the gist

Slide 25

Slide 25

docker-compose up • • Just run that command Alternatively; docker-compose up -d 25

Slide 26

Slide 26

26

Slide 27

Slide 27

Metricbeat https://www.elastic.co/guide/en/beats/metricbeat/current/index.html 27

Slide 28

Slide 28

Metricbeat Install and Run • • Download the binary Extract ./metricbeat • STOP! ./metricbeat setup —help ./metricbeat modules —help 28

Slide 29

Slide 29

Metricbeat Install and Run ./metricbeat modules list ./metricbeat setup —template -E output.logstash.enabled=false -E ‘output.elasticsearch.hosts=[“localhost:9200”]’ ./metricbeat setup —dashboards ./metricbeat • • 29 Enable the system module See also https://go.es.io/2T44qWN

Slide 30

Slide 30

Filebeat https://www.elastic.co/guide/en/beats/filebeat/current/index.html 30

Slide 31

Slide 31

Filebeat Install and Run • • Download the binary Extract ./filebeat • Remember ./filebeat setup —help ./filebeat modules —help 31

Slide 32

Slide 32

Filebeat Install and Run ./filebeat modules list ./filebeat setup —template -E output.logstash.enabled=false -E ‘output.elasticsearch.hosts=[“localhost:9200”]’ ./filebeat setup —dashboards ./filebeat • • 32 Enable the system module See also https://go.es.io/2T44qWN

Slide 33

Slide 33

Let’s kick it up a notch 33

Slide 34

Slide 34

Metricbeat - Enable the docker module Filebeat - Enable the docker input 34

Slide 35

Slide 35

Let’s analyse Elasticsearch traffic! 35

Slide 36

Slide 36

Packetbeat https://www.elastic.co/guide/en/beats/packetbeat/current/index.html 36

Slide 37

Slide 37

Packetbeat Install and Run • • Download the binary Extract ./packetbeat • Remember ./packetbeat setup —help ./packetbeat modules —help 37

Slide 38

Slide 38

Metricbeat Install and Run ./packetbeat modules list ./packetbeat setup —template -E output.logstash.enabled=false -E ‘output.elasticsearch.hosts=[“localhost:9200”]’ ./packetbeat setup —dashboards ./packetbeat • 38 See also https://go.es.io/2T44qWN

Slide 39

Slide 39

Heartbeat https://www.elastic.co/guide/en/beats/heartbeat/current/index.html 39

Slide 40

Slide 40

Heartbeat Install and Run • • Download the binary Extract ./heartbeat • Remember ./heartbeat setup —help ./heartbeat modules —help 40

Slide 41

Slide 41

Heartbeat Install and Run ./heartbeat modules list ./heartbeat setup —template -E output.logstash.enabled=false -E ‘output.elasticsearch.hosts=[“localhost:9200”]’ ./heartbeat setup —dashboards ./heartbeat • 41 See also https://go.es.io/2T44qWN

Slide 42

Slide 42

Community beats Logstash! Elasticsearch Ingest [Heart|Winlog|DIY]beat APM Dashboards 42

Slide 43

Slide 43

Whakawhetai Koe! LINUX.CONF.AU LINUX.CONF.AU 21-25 January 2019 | Christchurch | NZ 21-25 January 2019 Christchurch, NZ The Linux of Things The Linux of Things #LCA2019 | @linuxconfau | #LCA2019 @linuxconfau