How to configure metricbeat for monitoring system processes

Elastic Stack Beats
, ,
1

Hi everyone!!!
I'm trying to use metricbeat in order to check system processes status, but i can't understand how to configure metricbeat.yml.
I'm working on a linux system.

This is my actual config:

metricbeat.modules:
- module: system
  metricsets:
    - process         # Per process metrics
  enabled: true
  period: 10s
  processes: ['.*']

  process.cgroups.enabled: true
  setup.dashboards.enabled: true

output.logstash:
  hosts: ['logstash:5044']
  ssl.certificate_authorities: 
    - /cert/MyRootCA.pem
  ssl.certificate: "/cert/metricbeat.pem" 
  ssl.key: "/cert/metricbeat-key.pem"

As for my docker-compose.yml

  metricbeat:
    image: docker.elastic.co/beats/metricbeat:7.1.1
    container_name: metricbeat
    volumes:
      - /proc:/hostfs/proc:ro
      - /sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro
      - /:/hostfs:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./metricbeat/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml
      - ./cert/metricbeat.pem:/cert/metricbeat.pem:ro
      - ./cert/metricbeat-key.pem:/cert/metricbeat-key.pem:ro
      - ./cert/MyRootCA.pem:/cert/MyRootCA.pem:ro
    networks:
      - esnet
    depends_on:
      -  logstash
    user: root

When i access on kibana i can see metricbeats logs but it seems like it's monitoring itself .. if i search for running system.process.state.keyword i can only see this value: /usr/share/metricbeat/metricbeat

What is happening? Can anyone help?
Thank you,
EF

2

alright let me understand
you want to monitor systemA with ELK serverA correct
then you should do following in your metricbeat.yml on SystemA

metricbeat.config.modules:
path: /etc/metricbeat/modules.d/system.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
index.codec: best_compression
output.elasticsearch:
hosts: ["ServerA:9200"]
username: "xxx"
password: "xxx"

Make sure you have module.d dir on /etc/metricsbeat/module.d/system.yml, everything else is remove or rename

Then on ELK serverA

metricbeat.config.modules:
path: /etc/metricbeat/modules.d/system.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
index.codec: best_compression
setup.dashboards.enabled: true
setup.dashboards.beat: metricbeat
setup.kibana: ---- this will load all the kibana dashboard for you.--------------
host: "ServerA:5601"
output.elasticsearch:
hosts: ["ServerA:9200"]
username: "xxx"
password: "xxx"

Then make sure you delete everything that you don't want from ServerA
/usr/share/metricbeat/kibana/7/dashboard (remove al dashboard that you don't want to be loaded) keep only what you need.

I hope this helps

3

Thank you but i think you didn't get my point... unfortunately this does not help at all :frowning:

4

well then explain

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.