How to monitor two servers with Metricbeat?

I have a two servers :

I configured Elasticsearch :

$ sudo nano /etc/elasticsearch/elasticsearch.yml
I replaced the line
#network.host: 192.168.0.1
by
network.host: localhost

On SERVER_1 I installed Metricbeat with the following commands :

$ sudo apt install metricbeat
$ sudo metricbeat modules enable system
$ sudo metricbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
$ sudo metricbeat setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601
$ sudo systemctl start metricbeat
$ sudo systemctl enable metricbeat
$ curl -XGET 'http://localhost:9200/metricbeat-*/_search?pretty'

It works and I have the metrics in Kibana :slight_smile:

I created an SSL certificate :

$ sudo mkdir -p /etc/pki/tls/certs
$ sudo mkdir /etc/pki/tls/private
$ sudo nano /etc/ssl/openssl.cnf
[ v3_ca ]
subjectAltName = IP: IP_SERVER_1
$ cd /etc/pki/tls
$ sudo openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

I opened port 9200 on the firewall :

$ sudo ufw allow 9200

On SERVER_2 I installed Metricbeat with the following commands :

$ sudo scp -r -p root@IP_SERVER_1:/etc/pki/tls/certs/logstash-forwarder.crt /etc/pki/tls/certs
$ sudo apt install metricbeat
$ sudo metricbeat modules enable system
$ sudo nano /etc/metricbeat/metricbeat.yml
I replaced the line
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
by
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["IP_SERVER_1:9200"]

$ sudo systemctl start metricbeat
$ sudo systemctl enable metricbeat

Can not run SERVER_2 metrics

Instead of localhost, you have to write server address where Elasticsearch is installed.

Logstash, Kibana and Elasticsearch are installed on SERVER_1.
Which configuration file are you talking about ?

Oh. I think he has donethat already. I meant metricbeat.yml of remote server

OK for this file there is currently ES IP and port. It's not correct ?

Your configuration looks correct. What error/output you get while running on remote server?

If I was on IP 56.78.147.236 it redirects to monitoring.example.com and displays Kibana. If I go on 56.78.147.236:9200 it says "Site inaccessible". Is this normal ?

Here is the state of the firewall on the ELK server :

To Action From


22/tcp ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
5044 ALLOW IN Anywhere
9200 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
5044 (v6) ALLOW IN Anywhere (v6)
9200 (v6) ALLOW IN Anywhere (v6)

ubuntu@www-example-com ~ $ sudo systemctl status metricbeat
● metricbeat.service - Metricbeat is a lightweight shipper for metrics.
Loaded: loaded (/lib/systemd/system/metricbeat.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2019-05-08 01:09:05 CEST; 14s ago
Docs: https://www.elastic.co/products/beats/metricbeat
Main PID: 15581 (metricbeat)
Tasks: 11 (limit: 4915)
CGroup: /system.slice/metricbeat.service
└─15581 /usr/share/metricbeat/bin/metricbeat -e -c /etc/metricbeat/metricbeat.yml -path.home /usr/share/metricbeat -path.config /

May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.979+0200 INFO instance/beat.go:391 metricbeat st
May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.980+0200 INFO filesystem/filesystem.go:57 Ignori
May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.980+0200 INFO fsstat/fsstat.go:59 Ignoring files
May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.981+0200 INFO [monitoring] log/log.go:117
May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.981+0200 INFO cfgfile/reload.go:150 Config reloa
May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.982+0200 INFO filesystem/filesystem.go:57 Ignori
May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.982+0200 INFO fsstat/fsstat.go:59 Ignoring files
May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.982+0200 INFO cfgfile/reload.go:205 Loading of c
May 08 01:09:06 www-example-com metricbeat[15581]: 2019-05-08T01:09:06.733+0200 INFO add_cloud_metadata/add_cloud_metadata.go:
May 08 01:09:07 www-example-com metricbeat[15581]: 2019-05-08T01:09:07.734+0200 INFO pipeline/output.go:95 Connecting t

May 08 01:09:05 www-example-com metricbeat[15581]: 2019-05-08T01:09:05.982+0200 INFO cfgfile/reload.go:205 Loading of c
May 08 01:09:06 www-example-com metricbeat[15581]: 2019-05-08T01:09:06.733+0200 INFO add_cloud_metadata/add_cloud_metadata.go:
May 08 01:09:07 www-example-com metricbeat[15581]: 2019-05-08T01:09:07.734+0200 INFO pipeline/output.go:95 Connecting t
May 08 01:09:35 www-example-com metricbeat[15581]: 2019-05-08T01:09:35.984+0200 INFO [monitoring] log/log.go:144
May 08 01:10:05 www-example-com metricbeat[15581]: 2019-05-08T01:10:05.984+0200 INFO [monitoring] log/log.go:144
May 08 01:10:35 www-example-com metricbeat[15581]: 2019-05-08T01:10:35.986+0200 INFO [monitoring] log/log.go:144
May 08 01:10:39 www-example-com metricbeat[15581]: 2019-05-08T01:10:39.577+0200 ERROR pipeline/output.go:100 Failed to
May 08 01:10:39 www-example-com metricbeat[15581]: 2019-05-08T01:10:39.579+0200 INFO pipeline/output.go:93 Attempting t
May 08 01:11:05 www-example-com metricbeat[15581]: 2019-05-08T01:11:05.986+0200 INFO [monitoring] log/log.go:144
May 08 01:11:35 www-example-com metricbeat[15581]: 2019-05-08T01:11:35.983+0200 INFO [monitoring] log/log.go:144

I downloaded the SSL certificate on SERVER_2, what do I do? :slight_smile:

https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-ssl.html

I read the documentation, why do you need 3 files? While I already created these 3 files on SERVER_1 and I downloaded /etc/pki/tls/certs/logstash-forwarder.crt on SERVER_2

For example, in this tutorial (for Filebeat) there is only one file for the client server :

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.