Is FileBeat Alive?

ori.rubinfeld · May 4, 2016, 4:00am

Hi,

I am having Filebeat running on Windows Servers Reading many log files on each server.
The data is being sent to RHEL Servers running the Logstash and Elasticsearch.

I would like to have a way in which I will be able to know from the RHEL Servers if the Filebeat is Alive and there is no problem with the Service (While there are no logs being written).

What can be best way doing it ?

Thanks,

Ori

warkolm · May 4, 2016, 4:13am

Topbeat should be able to do that - https://www.elastic.co/guide/en/beats/topbeat/current/topbeat-configuration.html

ori.rubinfeld · May 4, 2016, 4:40am

Thanks,

What will be generated if I am running Topbeat for the Filebeat process, but the filebeat is not running ?
Will it generate a line with 0 CPU, 0 Memory, No ProcessID, Or nothing will be generated ?

I would prefer something that can be generated using the Filebeat itself and not to use another utility.

Ori

warkolm · May 4, 2016, 4:45am

I don't think you can monitor Filebeat with itself, that's a circular dependancy.

ori.rubinfeld · May 4, 2016, 4:48am

We have a monitor for the Service to check if it is running or not.
I would also like to know, If it is running and data is not being send to the Logstash.

Ori

magnusbaeck · May 4, 2016, 5:15am

I don't think you can monitor Filebeat with itself, that's a circular dependancy.

True, but Filebeat (and all other beats) could have an optional HTTP endpoint for status and stats information.

ori.rubinfeld · May 4, 2016, 5:16am

How can I access it ?

Thanks,

Ori

magnusbaeck · May 4, 2016, 5:17am

I said that they could have an HTTP endpoint. AFAIK there's no such thing right now.

ori.rubinfeld · May 4, 2016, 11:09am

What is purpose of the flag: -httpprof
While running the Filebeat ?
How can I use it ?

When setting a hostname and port, it gives nothing.

Ori

tudor · May 4, 2016, 11:14am

It's the Golang's pprof interface: https://golang.org/pkg/net/http/pprof/

Try the /debug/vars endpoint, it prints some metrics from libbeat which could be use as some sort of status information.

ori.rubinfeld · May 4, 2016, 11:19am

Great!!!!

Can I use the first Variables for monitoring activity:

{
"cmdline": ["filebeat.exe","-httpprof","127.0.0.1:8080"],
"libbeatEsPublishEventsCallCount": 0,
"libbeatEsPublishedAndAckedEvents": 0,
"libbeatEsPublishedButNotAckedEvents": 0,
"libbeatLogstashPublishEventsCallCount": 0,
"libbeatLogstashPublishedAndAckedEvents": 0,
"libbeatLogstashPublishedButNotAckedEvents": 0,
"libbeatMessagesDropped": 0,
"libbeatMessagesInWorkerQueues": 0,
"libbeatPublishedEvents": 0,
"memstats": {"Alloc":2311672,"TotalAlloc":2311672,"Sys":5442684,"Lookups":45,"Mallocs":23414,"Frees":0,"HeapAlloc":2311672,"HeapSys":2949120,"HeapIdle":122880,"HeapInuse":2826240,"HeapReleased":0,"HeapObjects":23414,"StackInuse":196608,"StackSys":196608,"MSpanInuse":19108,"MSpanSys":32768,"MCacheInuse":2384,"MCacheSys":16384,"BuckHashSys":726380,"GCSys":196608,"OtherSys":1324816,"NextGC":4194304,"LastGC":0,"PauseTotalNs":0,"PauseNs":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"PauseEnd":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"NumGC":0,"GCCPUFraction":0,"EnableGC":true,"DebugGC":false,"BySize":[{"Size":0,"Mallocs":0,"Frees":0},{"Size":8,"Mallocs":1533,"Frees":0},{"Size":16,"Mallocs":6435,"Frees":0},{"Size":32,"Mallocs":2561,"Frees":0},{"Size":48,"Mallocs":7231,"Frees":0},{"Size":64,"Mallocs":638,"Frees":0},{"Size":80,"Mallocs":1287,"Frees":0},{"Size":96,"Mallocs":1306,"Frees":0},{"Size":112,"Mallocs":367,"Frees":0},{"Size":128,"Mallocs":85,"Frees":0},{"Size":144,"Mallocs":118,"Frees":0},{"Size":160,"Mallocs":78,"Frees":0},{"Size":176,"Mallocs":181,"Frees":0},{"Size":192,"Mallocs":1027,"Frees":0},{"Size":208,"Mallocs":26,"Frees":0},{"Size":224,"Mallocs":57,"Frees":0},{"Size":240,"Mallocs":2,"Frees":0},{"Size":256,"Mallocs":19,"Frees":0},{"Size":288,"Mallocs":46,"Frees":0},{"Size":320,"Mallocs":16,"Frees":0},{"Size":352,"Mallocs":13,"Frees":0},{"Size":384,"Mallocs":4,"Frees":0},{"Size":416,"Mallocs":5,"Frees":0},{"Size":448,"Mallocs":5,"Frees":0},{"Size":480,"Mallocs":2,"Frees":0},{"Size":512,"Mallocs":6,"Frees":0},{"Size":576,"Mallocs":43,"Frees":0},{"Size":640,"Mallocs":23,"Frees":0},{"Size":704,"Mallocs":11,"Frees":0},{"Size":768,"Mallocs":4,"Frees":0},{"Size":896,"Mallocs":23,"Frees":0},{"Size":1024,"Mallocs":3,"Frees":0},{"Size":1152,"Mallocs":37,"Frees":0},{"Size":1280,"Mallocs":4,"Frees":0},{"Size":1408,"Mallocs":3,"Frees":0},{"Size":1536,"Mallocs":3,"Frees":0},{"Size":1664,"Mallocs":5,"Frees":0},{"Size":2048,"Mallocs":6,"Frees":0},{"Size":2304,"Mallocs":34,"Frees":0},{"Size":2560,"Mallocs":5,"Frees":0},{"Size":2816,"Mallocs":2,"Frees":0},{"Size":3072,"Mallocs":4,"Frees":0},{"Size":3328,"Mallocs":1,"Frees":0},{"Size":4096,"Mallocs":77,"Frees":0},{"Size":4608,"Mallocs":33,"Frees":0},{"Size":5376,"Mallocs":4,"Frees":0},{"Size":6144,"Mallocs":33,"Frees":0},{"Size":6400,"Mallocs":0,"Frees":0},{"Size":6656,"Mallocs":0,"Frees":0},{"Size":6912,"Mallocs":1,"Frees":0},{"Size":8192,"Mallocs":1,"Frees":0},{"Size":8448,"Mallocs":0,"Frees":0},{"Size":8704,"Mallocs":0,"Frees":0},{"Size":9472,"Mallocs":0,"Frees":0},{"Size":10496,"Mallocs":0,"Frees":0},{"Size":12288,"Mallocs":0,"Frees":0},{"Size":13568,"Mallocs":0,"Frees":0},{"Size":14080,"Mallocs":1,"Frees":0},{"Size":16384,"Mallocs":2,"Frees":0},{"Size":16640,"Mallocs":0,"Frees":0},{"Size":17664,"Mallocs":0,"Frees":0}]}
}

Ori

tudor · May 4, 2016, 11:23am

Yeah, just keep in mind that we intentionally didn't document this because the variable names and such might change.

steffens · May 4, 2016, 2:48pm

there is even a community beat collecting these variables from -httpprof: https://github.com/urso/govarbeat

ori.rubinfeld · May 9, 2016, 8:31am

I think implementing it as follows:

Upgrade to Version 1.2+ of Filebeat, having the CLOSE_OLDER parameter.

Then configure a prospector to run against my pre-defined folder having a file to be changed every 5 minutes.
set:
IGNORE_OLDER=3m
CLOSE_OLDER=1m

I will be able to delete the file and create a new one with an updated TIMESTAMP.
keeping the file size small.
Then the filebeat will send the data to Logstash and from there to ElasticSearch to a Pre-defined index.
By querying that index I will be able to know if the data keeps coming from the filebeat or not.

Ori