metricbeat elastic stack

After a long wait, the greatly anticipated release of Elastic Stack 5.0 — the new name for the ELK Stack — was announced. (You can see our guide on installing the Elastic Stack beta here.)

In the next couple of weeks, we will start to take a closer look at some of the new features.

Since I’ve already covered a number of ways to monitor system metrics with ELK, I wanted to begin with trying out Metricbeat — a revamped version of Topbeat.

As its name implies, Metricbeat collects a variety of metrics from your server (i.e., operating system and services) and ships them to an output destination of your choice. These destinations can be ELK components such as Elasticsearch or Logstash or other data processing platforms such as Redis or Kafka.

Setting up the EMK Stack (Elasticsearch, Metricbeat, and Kibana)

We’ll start by installing the components we’re going to use to construct the logging pipeline — Elasticsearch to store and index the data, Metricbeat to collect and forward the metrics, and Kibana to analyze them (Logstash has begun its retreat from the stack, something we will discuss in a future article).

If you already have these components installed, feel free to skip to the next step.

Installing Java

First, we need Java 8:

You can verify using this command:

Installing Elasticsearch and Kibana

Next up, we’re going to download and install the public signing key for Elasticsearch:

Save the repository definition to ‘/etc/apt/sources.list.d/elastic-5.x.list’:

Update the system, and install Elasticsearch:

Run Elasticsearch using:

You can make sure Elasticsearch is running using the following cURL:

You should be seeing an output similar to this:

Next up, we’re going to install Kibana with:

To verify Kibana is connected properly to Elasticsearch, open up the Kibana configuration file at: /etc/kibana/kibana.yml, and make sure you have the following configuration defined:

And, start Kibana with:

Installing Metricbeat

Our final installation step is installing Metricbeat. To do this, you will first need to download and install the Elasticsearch public signing key.

Next, save the repository definition to /etc/apt/sources.list.d/elastic-5.x.list:

Then, update your system and install Metricbeat:

Configuring the pipeline

Now that we’ve got all the components in place, it’s time to build the pipeline. So our next step involves configuring Metricbeat — defining what data to collect and where to ship it to.

Open the configuration file at /etc/metricbeat/metricbeat.yml.

In the Modules configuration section, you define which system metrics and which service you want to track. Each module collects various metricsets from different services (e.g. Apache, MySQL). These modules and their corresponding metricsets need to be defined separately. Take a look at the supported modules here.

By default, Metricbeat is configured to use the system module which collects server metrics, such as CPU and memory usage, network IO stats, and so on.

In my case, I’m going to uncomment some of the metrics commented out in the system module, and add the apache module for tracking my web server.

In the end, the configuration of this section looks as follows:

Next, you’ll need to configure the output, or in other words where you’d like to send all the data.

Since I’m using a locally installed Elasticsearch, the default configurations will do me just fine. If you’re using a remotely installed Elasticsearch, make sure you update the IP address and port.

If you’d like to output to another destination, that’s fine. You can ship to multiple destinations or comment out the Elasticsearch output configuration to add an alternative output. One such option is Logstash, which can be used to execute additional manipulations on the data and as a buffering layer in front of Elasticsearch.

Once done, start Metricbeat with:

You should get the following output:

Not getting any errors is great, and another way to verify all is running as expected is to query Elasticsearch for created indices:

Analyzing the data in Kibana

Our last and final step is to understand how to analyze and visualize the data to be able to extract some insight from the logged metrics.

To do this, we first need to define a new index pattern for the Metricbeat data.

In Kibana (http://localhost:5601), open the Management page and define the Metricbeat index in the Index Patterns tab (if this is the first time you’re analyzing data to Kibana, this page will be displayed by default):

configure index pattern kibana

Select @timestamp as the time-field name and create the new index pattern.

Opening the Discover page, you should see all the Metricbeat data being collected and indexed.

metricbeat data in log file

If you recall, we are monitoring two types of metrics: system metrics and Apache metrics. To be able to differentiate between the two streams of data, a good place to start is by adding some fields to the logging display area.

Start by adding the “metricset.module” and “” fields.

metricset module and name

Visualizing the data

Kibana is notorious for its visualization capabilities. As an example, let’s create a simple visualization that displays CPU usage over time.

To do this, open the Visualize page and select the Line Chart visualization type.

We’re going to compare, over time, the user and kernel space. Here is the configuration and the end-result:

user and kernal configuration

Now, luckily for us Elastic created an easy way to get started with building visualizations of the data by providing us with a way to download a Metricbeat dashboard. This will save us the time of figuring out how to build visualizations, a task that can be fun but can also consume quite a lot of time if you’re new to Kibana.

Note: If you’re using, you’ll find a pre-made Metricbeat dashboard in ELK Apps — our library of pre-made visualizations, dashboards, alerts and searches for various data types.

To use the dashboard, cd into the Metricbeat installation folder and execute the installation script:

After the script downloads all the dashboards, all you have to do is open up the Dashboard page, select Open, and select which dashboard you’d like to use.

metricbeat dashboard kibana

In Summary

Playing around with new technology in a sandbox environment is always fun and worry-free. Deploying in production is an entirely different ball game, and it’s no wonder we meet ELK users still using Elasticsearch 1.x.

Still, Elastic Stack 5.0 is a major improvement from the previous version, both from a user experience perspective and a performance/stability perspective.

Easily Configure and Ship Logs with ELK as a Service.