How quick can I get message that the system is down or shutting down?

phil.zac · May 10, 2018, 10:59pm

Hi,

I am wondering how quick can I get the message that the remote system is down or shutting down.

I am using 6.2.2 for all versions of ELK and Beats.

Another question I have one system that is always "on" state (not down or shut off).

I see the heartbeat says that the system was down at certain time and up at certain time.

Any reason?

my heartbeat.yml

heartbeat.monitors:
- type: icmp # monitor type `icmp` (requires root) uses ICMP Echo Request to ping
             # configured hosts

  # Configure task schedule using cron-like syntax
  schedule: '*/5 * * * * * *' # exactly every 5 seconds like 10:00:00, 10:00:05, ...

  # List of hosts to ping
  hosts: ["localhost:9200", "Q000B43C", "google.com"]

  # Configure IP protocol types to ping on if hostnames are configured.
  # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`.
  ipv4: true
  ipv6: true
  mode: any

  # Total running time per ping test.
  timeout: 1s

  # Waiting duration until another ICMP Echo Request is emitted.
  wait: 1s

Another question is it possible to create alert email based on when the system is down or application is down? Any sample?

Thanks.
Phil

ruflin · May 11, 2018, 7:00am

How quickly you now that the system is down depends on the schedule you run heartbeat. So if you ping it every 5s, in the worst case you know it after 5s + ingest time from beats to ES.

For your second question: I think you need to share the resulting events from heartbeat to give further feedback here.

For alerts: Have a look here: https://www.elastic.co/guide/en/x-pack/current/watcher-getting-started.html

phil.zac · May 16, 2018, 9:49pm

Thanks Rufin.

I have refresh the heartbeat by deleting the data folder and installed the outlook mail app.

All of a sudden I get

2018-05-16T17:44:07.133-0400    INFO    icmp/loop.go:330        IPv4 ICMP not supported: listen ip4:icmp : socket: An attempt was made to access a soc
ket in a way forbidden by its access permissions.
2018-05-16T17:44:07.135-0400    INFO    icmp/loop.go:330        IPv6 ICMP not supported: listen ip6:ipv6-icmp : socket: An attempt was made to access
a socket in a way forbidden by its access permissions.
2018-05-16T17:44:07.136-0400    ERROR   beater/manager.go:140   failed to load monitor tasks: failed to initiate IPv4 support when initializing monito
r icmp(0)

Any reason why this should be?

I have read RHEL6 ICMP ipv6 error at startup

But not using docker.

Please advise.

Thanks.

Phil

ruflin · May 17, 2018, 8:24am

What OS are you on? How do you start heartbeat with which user?

phil.zac · May 17, 2018, 1:32pm

Windows Server 2012 R2

heartbeat -e -c heartbeat.yml

I used a different user instead of the default one (elastic/changeme).

But it was working before this error happens.

Note: I have tested using ping cmd - it works.

I tried to flush, clear cache, restart all ELK and Beats, Deleted Data folders ELK and Beats.

Strange thing is that heartbeats no longer checks other hosts other than "localhost:9200".

heartbeats shows only host - localhost:9200.

Any suggestions?

ruflin · May 22, 2018, 8:24am

If you would be on a unix system I would guess that this is a problem of access rights and suggest you to run it as root. Not sure what the comparable is on Windows? It seems the user on your Windows machine which starts heartbeat does not have enough access rights on the OS. This is not about the user connecting to Elasticsearch.

system · June 19, 2018, 8:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.