Can't get metrics delivered to elasticsearch

Elastic Stack Beats
,
1

I've been banging my head against this for a couple days. I have a local test environment set up via docker compose with Cassandra and an ELK stack. I've added a monitoring container that has the Cassandra logs mounted to it. Delivery of logs via filebeat -> logstash works fine. For the life of me I can't get metricbeat to deliver metrics.

The docker-compose.yml:

version: "3.7"

services:
  # ----------------- CASSANDRA -----------------
  cassandra:
    build: ./cassandra
    image: local/cassandra:latest
    hostname: cassandra
    networks:
      default:
        ipv4_address: 10.6.0.11
    ports:
      # CQL
      - 9042:9042
      # Jolokia
      - 9000:9000
    environment:
      CASSANDRA_SEEDS: 10.6.0.11
      CASSANDRA_USER: cassandra
      CASSANDRA_PASSWORD: cassandra
      CASSANDRA_PASSWORD_SEEDER: "yes"
    restart: unless-stopped
    volumes:
      - cassandra_logs:/var/log

  cassandra-web:
    build: ./cassandra-web
    image: local/cassandra-web:latest
    depends_on:
      - cassandra
    ports:
      - 3000:3000
    environment:
      CASSANDRA_HOST_IPS: 10.6.0.11
      CASSANDRA_PORT: 9042
      CASSANDRA_USER: cassandra
      CASSANDRA_PASSWORD: cassandra
    restart: unless-stopped

  cassandra-monitoring-agent:
    build: ./monitoring-agent
    image: local/monitoring-agent:latest
    depends_on:
      - cassandra
      - logstash
      - elasticsearch
      - kibana
    environment:
      LOGSTASH_HOST: logstash
      ELASTICSEARCH_HOST: elasticsearch
      ELASTICSEARCH_USERNAME: elastic
      ELASTICSEARCH_PASSWORD: changeme
      KIBANA_USERNAME: elastic
      KIBANA_PASSWORD: changeme
      KIBANA_HOST: kibana
      LOGSTASH_USERNAME: logstash_internal
      LOGSTASH_PASSWORD: changeme
      CONTAINER_NAME: "cassandra-monitoring-agent"
      SERVICE: "cassandra"
      ENVIRONMENT: "local"
      DBUS_SYSTEM_BUS_ADDRESS: "unix:path=/hostfs/var/run/dbus/system_bus_socket"
      system.hostfs: /hostfs
    cgroup: host
    volumes:
      # mounting logs from cassandra instance
      - cassandra_logs:/opt/log
      # mounting host procs to container for metricbeat
      - /proc:/hostfs/proc:ro
      - /sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro
      - /:/hostfs:ro
      - /var/run/dbus/system_bus_socket:/hostfs/var/run/dbus/system_bus_socket:ro

  # --------------- ELK ---------------
  elasticsearch:
    build:
      context: elasticsearch/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    volumes:
      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro,Z
      - elasticsearch:/usr/share/elasticsearch/data:Z
    ports:
      - 9200:9200
      - 9300:9300
    environment:
      node.name: elasticsearch
      ES_JAVA_OPTS: -Xms512m -Xmx512m
      # Bootstrap password.
      # Used to initialize the keystore during the initial startup of
      # Elasticsearch. Ignored on subsequent runs.
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
      # Use single node discovery in order to disable production mode and avoid bootstrap checks.
      # see: https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
      discovery.type: single-node
    networks:
      - default
    restart: unless-stopped

  logstash:
    build:
      context: logstash/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    volumes:
      - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro,Z
      - ./logstash/pipeline:/usr/share/logstash/pipeline:ro,Z
    ports:
      - 5044:5044
      - 50000:50000/tcp
      - 50000:50000/udp
      - 9600:9600
    environment:
      LS_JAVA_OPTS: -Xms256m -Xmx256m
      LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
    networks:
      - default
    depends_on:
      - elasticsearch
    restart: unless-stopped

  kibana:
    build:
      context: kibana/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    volumes:
      - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro,Z
    ports:
      - 5601:5601
    environment:
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
    networks:
      - default
    depends_on:
      - elasticsearch
    restart: unless-stopped

  # The 'setup' service runs a one-off script which initializes users inside
  # Elasticsearch — such as 'logstash_internal' and 'kibana_system' — with the
  # values of the passwords defined in the '.env' file. It also creates the
  # roles required by some of these users.
  #
  # This task only needs to be performed once, during the *initial* startup of
  # the stack. Any subsequent run will reset the passwords of existing users to
  # the values defined inside the '.env' file, and the built-in roles to their
  # default permissions.
  #
  # By default, it is excluded from the services started by 'docker compose up'
  # due to the non-default profile it belongs to. To run it, either provide the
  # '--profile=setup' CLI flag to Compose commands, or "up" the service by name
  # such as 'docker compose up setup'.
  setup:
    profiles:
      - setup
    build:
      context: setup/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    init: true
    volumes:
      - ./setup/entrypoint.sh:/entrypoint.sh:ro,Z
      - ./setup/lib.sh:/lib.sh:ro,Z
      - ./setup/roles:/roles:ro,Z
    environment:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
      LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
      METRICBEAT_INTERNAL_PASSWORD: ${METRICBEAT_INTERNAL_PASSWORD:-}
      FILEBEAT_INTERNAL_PASSWORD: ${FILEBEAT_INTERNAL_PASSWORD:-}
      HEARTBEAT_INTERNAL_PASSWORD: ${HEARTBEAT_INTERNAL_PASSWORD:-}
      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - default
    depends_on:
      - elasticsearch

networks:
  default:
    driver: bridge
    ipam:
      config:
        - subnet: 10.6.0.0/24

volumes:
  elasticsearch:
  cassandra_logs:

Both filebeat and metricbeat run inside the cassandra-monitoring-agent container via supervisor:

[supervisord]
logfile=/var/log/supervisord/supervisord.log
# logfile=/dev/stdout
logfile_maxbytes=50MB
logfile_backups=10
loglevel=error
pidfile=/var/run/supervisord.pid
nodaemon=true
minfds=1024
minprocs=200
user=root
childlogdir=/var/log/supervisord/

[program:filebeat]
command=filebeat -c /etc/filebeat/filebeat.yml
autostart=true
autorestart=true
stderr_logfile=/var/log/filebeat/err.log
stdout_logfile=/var/log/filebeat/out.log
logfile_maxbytes=10MB
logfile_backups=10

[program:metricbeat]
# command=metricbeat -c /etc/metricbeat/metricbeat.yml
command=metricbeat -c /etc/metricbeat/metricbeat.yml -e -d "*"
autostart=true
autorestart=true
stderr_logfile=/var/log/metricbeat/err.log
stdout_logfile=/var/log/metricbeat/out.log
logfile_maxbytes=10MB
logfile_backups=10

Filebeat delivers the logs just fine via logstash:

name: ${CONTAINER_NAME:filebeat_collector}
# tags: ["foo", "bar"]
fields:
  env: ${ENVIRONMENT:unknown_environment}
  service: ${SERVICE:unknown_service}
  beat: filebeat


filebeat.inputs:
- type: filestream
  enabled: true
  paths:
    # This should be volume mounted into the instance
    - /opt/log/*.log
    - /opt/log/cassandra/*.log
  tail_files: true

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
  #reload.period: 10s

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#setup.dashboards.enabled: false
#setup.dashboards.url:

setup.kibana:
  host: "#{KIBANA_HOST}:5601"
  space.id:

output.logstash:
  hosts: ["${LOGSTASH_HOST}:5044"]
  username: "${LOGSTASH_USERNAME}"
  password: "${LOGSTASH_PASSWORD}"
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  #ssl.certificate: "/etc/pki/client/cert.pem"
  #ssl.key: "/etc/pki/client/cert.key"

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~


logging.level: debug
logging.to_stderr: true
logging.metrics.enabled: true
#logging.selectors: ["*"]

Metricbeat... I can't get to deliver either directly to Elasticsearch or to Logstash with either of the output directives:

name: ${CONTAINER_NAME:metricbeat_collector}
# tags: ["foo", "bar"]
fields:
  env: ${ENVIRONMENT:unknown_environment}
  service: ${SERVICE:unknown_service}
  beat: metricbeat

metricbeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

setup.template.settings:
  index.number_of_shards: 1
  index.codec: best_compression

#setup.dashboards.enabled: false
#setup.dashboards.url:

setup.kibana:
  host: "${KIBANA_HOST}:5601"
  username: "${KIBANA_USERNAME}"
  password: "${KIBANA_PASSWORD}"
  #space.id:

# This doesn't work either...
# output.elasticsearch:
#   hosts: ["${ELASTICSEARCH_HOST}:9200"]
#   preset: balanced
#   #protocol: "https"
#   #api_key: "id:api_key"
#   username: "${ELASTICSEARCH_USERNAME}"
#   password: "${ELASTICSEARCH_PASSWORD}"

output.logstash:
  hosts: ["${LOGSTASH_HOST}:5044"]
  username: "${LOGSTASH_USERNAME}"
  password: "${LOGSTASH_PASSWORD}"
  # ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  # ssl.certificate: "/etc/pki/client/cert.pem"
  # ssl.key: "/etc/pki/client/cert.key"

logging.level: debug
logging.to_stderr: true
logging.metrics.enabled: true
#logging.selectors: ["*"]

http.enabled: true

I can hit metricbeat via the HTTP endpoint.
I can see in the logs metrics are being gathered:

{"log.level":"debug","@timestamp":"2024-10-16T22:25:43.244Z","log.origin":{"function":"github.com/elastic/elastic-agent-system-metrics/metric/system/cgroup/cgv2.(*IOSubsystem).Get","file.name":"cgv2/io.go","file.line":69},"message":"io.pressure does not exist. Skipping.","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-10-16T22:25:43.245Z","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"metricbeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":222543872}}}},"cpu":{"system":{"ticks":90},"total":{"ticks":530,"value":530},"user":{"ticks":440}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":9},"info":{"ephemeral_id":"f22b7578-c60e-45e6-9dad-08fc4ea0582d","uptime":{"ms":1773034},"version":"8.14.2"},"memstats":{"gc_next":15059800,"memory_alloc":7729328,"memory_total":40200256,"rss":82644992},"runtime":{"goroutines":16}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":0,"events":{"active":0}}},"system":{"load":{"1":5.78,"15":5.34,"5":5.42,"norm":{"1":0.4817,"15":0.445,"5":0.4517}}}},"ecs.version":"1.6.0"}}

metricbeat test output seems fine:

{"log.level":"info","@timestamp":"2024-10-17T01:34:25.747Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":816},"message":"Home path: [/etc/metricbeat] Config path: [/etc/metricbeat] Data path: [/etc/metricbeat/data] Logs path: [/etc/metricbeat/logs]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T01:34:25.747Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadMeta","file.name":"instance/beat.go","file.line":935},"message":"Beat metadata path: /etc/metricbeat/data/meta.json","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-10-17T01:34:25.748Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":824},"message":"Beat ID: eccabea0-4740-4f8b-9e53-feac068411a9","service.name":"metricbeat","ecs.version":"1.6.0"}
logstash: logstash:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.6.0.4
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK

as does test config.

If I run the kibana setup, it creates a metricbeat-* index in the discovery section.

But... it's always empty. Nothing ever populates.

Help? I have no idea where to go next - not sure if logs are making it to Logstash or Elasticsearch, but nothing interesting I can see in the logs for either, but also nothing in the logs for metricbeat saying anything got rejected or couldn't connect.

2

What version of Elasticsearch?

Can you curl Elasticsearch?

Why are You putting logstash in the middle it just complicate things.

Filebeat/ Metricbeat -> Elasticsearch much be easier if you're getting started.

Have you looked at the document about the proper way to start elasticsearch docker?

3 
metricbeat version 8.14.2 (arm64), libbeat 8.14.2 [unknown built unknown]

elasticsearch - Version: 8.15.2, Build: docker/98adf7bf6bb69b66ab95b761c9e5aadb0bb059a3/2024-09-19T10:06:03.564235954Z, JVM: 22.0.1

I have tried direct to Elasticsearch - in the middle of the metricbeat.yml above there's an output.elasticsearch section that I was trying as well with the exact same results. Its commented out at the moment just to try logstash because the same instance could send logs that way via filebeat.

I can curl elasticsearch from the monitoring container (hostname via docker compose is just elasticsearch).

I have looked at the official docker builds from Elastic, but they are unfortunately still based off Centos 7, which is way past end of life/support, and I can't use in my current environment. Plus I'd rather use Alpine anyway as I'd like to have a much smaller footprint for a monitoring agent type container.

I'm mostly looking for any log file or line anywhere that could narrow down where things are failing. Are the metrics getting to Elasticsearch? I Elasticsearch failing to index them? I don't really know...

Thanks!

4

@gatos From what I can see pretty much everything you are doing is "self rolled"... and that is totally OK...

If you want help debugging I can help but I am going to ask you to do a few things and it will go faster if you run the commands I ask and show the response...

First, let's try to get metricbeat directly to elasticsearch, so set your config to that.

Get everything up and running and exec into the metricbeat / monitoring container...

and then curl from the monitoring container
BTW it is unclear to me whether elasticsearch is running on HTTPS or HTTP
curl -k -v -u elastic http://<elastichost>:9200

Show the command and the result...

Then Container you are running metricbeat while metricbeat is pointing at elasticsearch run

metricbeat test config
Then
metricbeat test output

Lets start with this... then we will move to the next

5

@gatos

Ohhh yeah it looks like you are not running any modules / collecting any metrics...
I was going to ask that next but I just saw this...

Your log says you are running 0 modules and shipping 0 events... did you remove the modules.d directory... basically looks like you are running metricbeat but not telling it tol collect and ship anything...

{"log.level":"info","@timestamp":"2024-10-16T22:25:43.245Z","log.logger":"monitoring","log.origin":
...
"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"write":{"latency":
.........................................^
...
"pipeline":{"clients":0,"events":{"active":0}}}
...........................................^

^^^ this is most likely your issue

6

@stephenb Thanks! I didn't remove it, but most of the modules are "disabled":

/etc/metricbeat/modules.d # ls
aerospike.yml.disabled            couchdb.yml.disabled              graphite.yml.disabled             kvm.yml.disabled                  nats.yml.disabled                 system.yml
apache.yml.disabled               docker.yml.disabled               haproxy.yml.disabled              linux.yml.disabled                nginx.yml.disabled                traefik.yml.disabled
beat-xpack.yml.disabled           dropwizard.yml.disabled           http.yml.disabled                 logstash-xpack.yml.disabled       openmetrics.yml.disabled          uwsgi.yml.disabled
beat.yml.disabled                 elasticsearch-xpack.yml.disabled  jolokia.yml.disabled              logstash.yml.disabled             php_fpm.yml.disabled              vsphere.yml.disabled
ceph-mgr.yml.disabled             elasticsearch.yml.disabled        kafka.yml.disabled                memcached.yml.disabled            postgresql.yml.disabled           windows.yml.disabled
ceph.yml.disabled                 envoyproxy.yml.disabled           kibana-xpack.yml.disabled         mongodb.yml.disabled              prometheus.yml.disabled           zookeeper.yml.disabled
consul.yml.disabled               etcd.yml.disabled                 kibana.yml.disabled               munin.yml.disabled                rabbitmq.yml.disabled
couchbase.yml.disabled            golang.yml.disabled               kubernetes.yml.disabled           mysql.yml.disabled                redis.yml.disabled

Only system.yml is "enabled". Also via modules list:

/etc/metricbeat # metricbeat modules list
{"log.level":"info","@timestamp":"2024-10-17T13:15:02.273Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":816},"message":"Home path: [/etc/metricbeat] Config path: [/etc/metricbeat] Data path: [/etc/metricbeat/data] Logs path: [/etc/metricbeat/logs]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T13:15:02.274Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadMeta","file.name":"instance/beat.go","file.line":935},"message":"Beat metadata path: /etc/metricbeat/data/meta.json","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-10-17T13:15:02.274Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":824},"message":"Beat ID: eccabea0-4740-4f8b-9e53-feac068411a9","service.name":"metricbeat","ecs.version":"1.6.0"}
Enabled:
system

Disabled:
aerospike
apache
beat
...

I thought "system" would be enough. My only modification to it was to uncomment hostfs: "/hostfs" in the first module config:

- module: system
  period: 10s
  enabled: true
  processes: ['.*']
  metricsets:
    - cpu
    - load
    - memory
    - network
    - process
    - process_summary
    - socket_summary
    #- entropy
    #- core
    #- diskio
    #- socket
    #- service
    #- users
  # process.include_top_n:
  #   by_cpu: 5      # include top 5 processes by CPU
  #   by_memory: 5   # include top 5 processes by memory
  # Configure the mount point of the host’s filesystem for use in monitoring a host from within a container
  hostfs: "/hostfs"

- module: system
  period: 1m
  metricsets:
    - filesystem
    - fsstat
  processors:
  - drop_event.when.regexp:
      system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)'

- module: system
  period: 15m
  metricsets:
    - uptime

#- module: system
#  period: 5m
#  metricsets:
#    - raid
#  raid.mount_point: '/'

Right now I just want a super basic set of metrics reporting, and then I can adjust from there. Ideal goal is to have the container reporting on system metrics and maybe docker metrics from the host, so I had been following this - Run Metricbeat on Docker | Metricbeat Reference [8.15] | Elastic . But I would settle for now just getting the container metrics in so I see something.

Output of curl:

/etc/metricbeat/modules.d # curl -k -v -u elastic http://elasticsearch:9200
Enter host password for user 'elastic':
* Host elasticsearch:9200 was resolved.
* IPv6: (none)
* IPv4: 10.6.0.2
*   Trying 10.6.0.2:9200...
* Connected to elasticsearch (10.6.0.2) port 9200
* using HTTP/1.x
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: elasticsearch:9200
> Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==
> User-Agent: curl/8.10.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 542
< 
{
  "name" : "elasticsearch",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "dRDgsnddT4-sk_JMjS3ODg",
  "version" : {
    "number" : "8.15.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "98adf7bf6bb69b66ab95b761c9e5aadb0bb059a3",
    "build_date" : "2024-09-19T10:06:03.564235954Z",
    "build_snapshot" : false,
    "lucene_version" : "9.11.1",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host elasticsearch left intact

output of tests:

/etc/metricbeat # metricbeat test config
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.371Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":816},"message":"Home path: [/etc/metricbeat] Config path: [/etc/metricbeat] Data path: [/etc/metricbeat/data] Logs path: [/etc/metricbeat/logs]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T13:24:29.371Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadMeta","file.name":"instance/beat.go","file.line":935},"message":"Beat metadata path: /etc/metricbeat/data/meta.json","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.371Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":824},"message":"Beat ID: eccabea0-4740-4f8b-9e53-feac068411a9","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.372Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1370},"message":"Beat info","service.name":"metricbeat","system_info":{"beat":{"path":{"config":"/etc/metricbeat","data":"/etc/metricbeat/data","home":"/etc/metricbeat","logs":"/etc/metricbeat/logs"},"type":"metricbeat","uuid":"eccabea0-4740-4f8b-9e53-feac068411a9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.372Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1379},"message":"Build info","service.name":"metricbeat","system_info":{"build":{"commit":"unknown","libbeat":"8.14.2","time":"0001-01-01T00:00:00.000Z","version":"8.14.2"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.372Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1382},"message":"Go runtime info","service.name":"metricbeat","system_info":{"go":{"os":"linux","arch":"arm64","max_procs":12,"version":"go1.22.5"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.372Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1388},"message":"Host info","service.name":"metricbeat","system_info":{"host":{"architecture":"aarch64","native_architecture":"aarch64\n","boot_time":"2024-10-07T19:38:29Z","containerized":true,"name":"40db9f979fac","ip":["127.0.0.1","::1","10.6.0.6"],"kernel_version":"6.6.26-linuxkit","mac":["02:42:0a:06:00:06"],"os":{"type":"linux","family":"","platform":"alpine","name":"Alpine Linux","version":"3.20.3","major":3,"minor":20,"patch":3},"timezone":"UTC","timezone_offset_sec":0},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.372Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1417},"message":"Process info","service.name":"metricbeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null},"cwd":"/etc/metricbeat","exe":"/usr/bin/metricbeat","name":"metricbeat","pid":127,"ppid":35,"seccomp":{"mode":"disabled","no_new_privs":false},"start_time":"2024-10-17T13:24:28.770Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.372Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":339},"message":"Setup Beat: metricbeat; Version: 8.14.2","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T13:24:29.373Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":367},"message":"Initializing output plugins","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T13:24:29.374Z","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*eventConsumer).run","file.name":"pipeline/consumer.go","file.line":110},"message":"start pipeline event consumer","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-10-17T13:24:29.374Z","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.LoadWithSettings","file.name":"pipeline/module.go","file.line":105},"message":"Beat name: cassandra-monitoring-agent","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T13:24:29.374Z","log.logger":"registry.lightmodules","log.origin":{"function":"github.com/elastic/beats/v7/metricbeat/mb.(*LightModulesSource).moduleNames","file.name":"mb/lightmodules.go","file.line":260},"message":"Light modules directory '%!d(string=/etc/metricbeat/module)' doesn't exist","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T13:24:29.375Z","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/metricbeat/beater.newMetricbeat","file.name":"beater/metricbeat.go","file.line":162},"message":"Available modules and metricsets: Register [ModuleFactory:[beat, docker, elasticsearch, kibana, kubernetes, linux, logstash, mongodb, mysql, postgresql, system, uwsgi], MetricSetFactory:[aerospike/namespace, apache/status, beat/state, beat/stats, ceph/cluster_disk, ceph/cluster_health, ceph/cluster_status, ceph/mgr_cluster_disk, ceph/mgr_cluster_health, ceph/mgr_osd_perf, ceph/mgr_osd_pool_stats, ceph/mgr_osd_tree, ceph/mgr_pool_disk, ceph/monitor_health, ceph/osd_df, ceph/osd_tree, ceph/pool_disk, consul/agent, couchbase/bucket, couchbase/cluster, couchbase/node, couchdb/server, docker/container, docker/cpu, docker/diskio, docker/event, docker/healthcheck, docker/image, docker/info, docker/memory, docker/network, docker/network_summary, dropwizard/collector, elasticsearch/ccr, elasticsearch/cluster_stats, elasticsearch/enrich, elasticsearch/index, elasticsearch/index_recovery, elasticsearch/index_summary, elasticsearch/ingest_pipeline, elasticsearch/ml_job, elasticsearch/node, elasticsearch/node_stats, elasticsearch/pending_tasks, elasticsearch/shard, envoyproxy/server, etcd/leader, etcd/metrics, etcd/self, etcd/store, golang/expvar, golang/heap, graphite/server, haproxy/info, haproxy/stat, http/json, http/server, jolokia/jmx, kafka/consumergroup, kafka/partition, kibana/cluster_actions, kibana/cluster_rules, kibana/node_actions, kibana/node_rules, kibana/settings, kibana/stats, kibana/status, kubernetes/apiserver, kubernetes/container, kubernetes/controllermanager, kubernetes/event, kubernetes/node, kubernetes/pod, kubernetes/proxy, kubernetes/scheduler, kubernetes/state_container, kubernetes/state_cronjob, kubernetes/state_daemonset, kubernetes/state_deployment, kubernetes/state_job, kubernetes/state_namespace, kubernetes/state_node, kubernetes/state_persistentvolume, kubernetes/state_persistentvolumeclaim, kubernetes/state_pod, kubernetes/state_replicaset, kubernetes/state_resourcequota, kubernetes/state_service, kubernetes/state_statefulset, kubernetes/state_storageclass, kubernetes/system, kubernetes/volume, kvm/dommemstat, kvm/status, linux/conntrack, linux/iostat, linux/ksm, linux/memory, linux/pageinfo, linux/pressure, linux/rapl, logstash/node, logstash/node_stats, memcached/stats, mongodb/collstats, mongodb/dbstats, mongodb/metrics, mongodb/replstatus, mongodb/status, munin/node, mysql/galera_status, mysql/query, mysql/status, nats/connection, nats/connections, nats/route, nats/routes, nats/stats, nats/subscriptions, nginx/stubstatus, openmetrics/collector, php_fpm/pool, php_fpm/process, postgresql/activity, postgresql/bgwriter, postgresql/database, postgresql/statement, prometheus/collector, prometheus/query, prometheus/remote_write, rabbitmq/connection, rabbitmq/exchange, rabbitmq/node, rabbitmq/queue, rabbitmq/shovel, redis/info, redis/key, redis/keyspace, system/core, system/cpu, system/diskio, system/entropy, system/filesystem, system/fsstat, system/load, system/memory, system/network, system/network_summary, system/process, system/process_summary, system/raid, system/service, system/socket, system/socket_summary, system/uptime, system/users, traefik/health, uwsgi/status, vsphere/datastore, vsphere/host, vsphere/virtualmachine, zookeeper/connection, zookeeper/mntr, zookeeper/server], LightModules:[LightModules:[]]]","service.name":"metricbeat","ecs.version":"1.6.0"}
Config OK


/etc/metricbeat # metricbeat test output
{"log.level":"info","@timestamp":"2024-10-17T13:25:01.639Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":816},"message":"Home path: [/etc/metricbeat] Config path: [/etc/metricbeat] Data path: [/etc/metricbeat/data] Logs path: [/etc/metricbeat/logs]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-10-17T13:25:01.639Z","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadMeta","file.name":"instance/beat.go","file.line":935},"message":"Beat metadata path: /etc/metricbeat/data/meta.json","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-10-17T13:25:01.639Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":824},"message":"Beat ID: eccabea0-4740-4f8b-9e53-feac068411a9","service.name":"metricbeat","ecs.version":"1.6.0"}
logstash: logstash:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.6.0.4
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
7

Okay good. So while you're connectivity looks good...

You are basically running metricbeat in your home rolled docker container... So it can't really pull the host system metrics because it's isolated... Right because it's in a container.

So I would suggest looking at this

And you need to mimic that...

It shows you how to gather metrics from other containers And how to get metrics from the host using the system module.. there is some extra work involved

8

OK - unclear what I was doing wrong, but took another look at the official docker containers and it looks like they use Ubuntu 20.04 now, even though there's some official documentation that says they're using CentOS 7. But so long as its not an EOL OS, I can use them.

Started over using the official images, and things seem to be working. I have some other questions, but I'll create a separate thread for those.

1 Like
9

Glad you got it running...

Yeah I thought we were Ubuntu for quite some time... forgot to look into that... can you point me to where CentOS maybe we need to clean up some docs...

10

First paragraph:

Docker images for Metricbeat are available from the Elastic Docker registry. The base image is centos:7.

I think there might be others, but that's honestly the first page I hit when I started down this path.

But confirmed on my own with

# ---------- METRICBEAT ----------
FROM docker.elastic.co/beats/metricbeat:8.15.3 AS METRICBEAT

# Upstream Base OS:
#   DISTRIB_ID=Ubuntu
#   DISTRIB_RELEASE=20.04
#   DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"
# Ensure this or fail the build
RUN cat /etc/lsb-release | grep "DISTRIB_ID=Ubuntu" && \
    cat /etc/lsb-release | grep "DISTRIB_RELEASE=20.04"

I think my main trouble is that its tough to find a middle ground. The docker images provided do a lot of automagic (especially if you call metricbeat setup / filebeat setup), and things work, but it doesn't go a long ways towards teaching me why it works / what's happening, or why I now have like 7,000 empty fields and 70+ empty dashboards in Kibana.

Flip that around, and I was trying to build up from the base binaries in a really simple docker image of my own, but if any small bit is off, it seems like nothing shows up, and not great logging as to why.