Hi All,
I'm trying to determine the state of an IIS app pool (running/stopped/disabled/etc...) that is monitor by Metricbeat.
However, it doesn't appear that Metricbeat includes the state of the app pool in its metric set (IIS fields | Metricbeat Reference [7.16] | Elastic). Is there any way to determine the app pool state via any of the available metrics that Metricbeat provides?
Other tools like windows_exporter seem to have a dedicated metric for app pool state.
Doing a bit more testing, it seems like the Metricbeat module only collects metrics for running app pools, so doing an alert which looks for missing docs can detect an app pool going from running -> stopped. This isn't 100% the greatest solution as there are other states which an app pool can be in, so for now I'm going not marked this as solved in case anyone knows of a better way to handle this.
some progress team ?? I'm also on the same topic
I eventually opened: https://github.com/elastic/beats/issues/30195, yesterday so that it is at least tracked as a feature request.
One thing I did notice, is that if you have very dynamic (changing state a lot) app pools, a generic rule currently isn't that great, though an ML job does a decent job of detecting "real" issues.
Hello BenB196, a question, what temporary solution do you have for this issue
If you have the ability to use machine learning; the job config I use is:
{
"job_id": "windows_low_count_iis_app_pool",
"job_type": "anomaly_detector",
"job_version": "7.16.2",
"datafeed_config": {
"datafeed_id": "datafeed-windows_low_count_iis_app_pool",
"job_id": "windows_low_count_iis_app_pool",
"query_delay": "93752ms",
"chunking_config": {
"mode": "auto"
},
"indices_options": {
"expand_wildcards": [
"open"
],
"ignore_unavailable": false,
"allow_no_indices": true,
"ignore_throttled": true
},
"query": {
"bool": {
"must": [
{
"match_all": {}
}
],
"filter": [
{
"match_phrase": {
"host.os.family": "windows"
}
},
{
"exists": {
"field": "iis.application_pool.name"
}
}
],
"must_not": [
{
"match_phrase": {
"host.os.name": "Windows 10 Pro"
}
}
]
}
},
"indices": [
"metricbeat-*",
"metrics-*"
],
"scroll_size": 1000,
"delayed_data_check_config": {
"enabled": true
},
"state": "started",
"running_state": {
"real_time_configured": true,
"real_time_running": true
}
},
"groups": [
"windows",
"metrics",
"monitoring",
"services",
"iis",
"hosts"
],
"description": "This job looks at running IIS App Pools by their name and host. If it notices an abnormally low number of records for an App Pool (i.e.: App Pool is no longer running), it will mark it as an anomaly.",
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "low_count by \"iis.application_pool.name\" partitionfield=\"host.name\"",
"function": "low_count",
"by_field_name": "iis.application_pool.name",
"partition_field_name": "host.name",
"detector_index": 0
}
],
"influencers": [
"host.name",
"iis.application_pool.name"
]
},
"analysis_limits": {
"model_memory_limit": "11mb",
"categorization_examples_limit": 4
},
"data_description": {
"time_field": "@timestamp",
"time_format": "epoch_ms"
},
"model_plot_config": {
"enabled": false,
"annotations_enabled": true
},
"model_snapshot_retention_days": 10,
"daily_model_snapshot_retention_after_days": 1,
"results_index_name": "custom-windows_low_count_iis_app_pool",
"allow_lazy_open": false
}
If you don't have the ability to use ML. An alert like below would work (though might be noisy depending on how often app pools change in the environment).
The WHEN Document Count IS BELOW 1 doesn't really matter, what matters with the alert is Alert me if a group stops reporting data is checked at the very bottom. This is what will tell you is an app pool is "stopped".
Note: You can add/adjust filters to suit your need.
great thank you very much
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
