Metricbeat Active Directory (AD) performance metrics (perfmon) yaml build

mazoutte · December 2, 2019, 3:58pm

Hello, the link mentionned is very useful, and quite complete.
For AD , you pointed out the intersesting section "DirectoryServices" for the counters.
More counters : DNS and DFS section (instance SYSVOL related)

-> Interesting counters : 
    \Security System-Wide Statistics\Digest Authentications
    \Security System-Wide Statistics\KDC AS Requests
    \Security System-Wide Statistics\KDC TGS Requests
    \Security System-Wide Statistics\Kerberos Authentications
    \Security System-Wide Statistics\NTLM Authentications

I was using this below config file for some tests with metribeat.
I need to warn you, that actual Metricbeat is creating 1 document per counter.
With this config, for 6 Domain Controllers, pulling every 5 seconds, the daily index size is around 290-320 MB for 3.2M documents.
Extending this to a big environnement, it can be weird. (more than 100 Domain Controllers, and adding all the counters from the DirectoryServices/DNS/DFS/System sections)
Unless the metricbeat agent can create only 1 document per "perfmon pull", you must be aware of that (but it's another subject actually).

  # NTDS
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ab.anr.sec"
  query: '\DirectoryServices(NTDS)\AB ANR/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ab.browses.sec"
  query: '\DirectoryServices(NTDS)\AB Browses/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ab.client.sessions"
  query: '\DirectoryServices(NTDS)\AB Client Sessions'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ab.matches.sec"
  query: '\DirectoryServices(NTDS)\AB Matches/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ab.prop.reads.sec"
  query: '\DirectoryServices(NTDS)\AB Property Reads/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ab.proxy.lookups.sec"
  query: '\DirectoryServices(NTDS)\AB Proxy Lookups/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ab.searches.sec"
  query: '\DirectoryServices(NTDS)\AB Searches/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.db.searches.sec"
  query: '\DirectoryServices(NTDS)\Base searches/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.db.adds.sec"
  query: '\DirectoryServices(NTDS)\Database adds/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.db.deletes.sec"
  query: '\DirectoryServices(NTDS)\Database deletes/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.db.modifys.sec"
  query: '\DirectoryServices(NTDS)\Database modifys/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.db.recycles.sec"
  query: '\DirectoryServices(NTDS)\Database recycles/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ds.client.binds.sec"
  query: '\DirectoryServices(NTDS)\DS Client Binds/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ds.client.name.translations.sec"
  query: '\DirectoryServices(NTDS)\DS Client Name Translations/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ds.directory.reads.sec"
  query: '\DirectoryServices(NTDS)\DS Directory Reads/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ds.directory.searches.sec"
  query: '\DirectoryServices(NTDS)\DS Directory Searches/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ds.directory.writes.sec"
  query: '\DirectoryServices(NTDS)\DS Directory Writes/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ds.threads"
  query: '\DirectoryServices(NTDS)\DS Threads in Use'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.active.threads"
  query: '\DirectoryServices(NTDS)\LDAP Active Threads'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.bind.time"
  query: '\DirectoryServices(NTDS)\LDAP Bind Time'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.client.sessions"
  query: '\DirectoryServices(NTDS)\LDAP Client Sessions'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.closed.connections.sec"
  query: '\DirectoryServices(NTDS)\LDAP Closed Connections/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.new.connections.sec"
  query: '\DirectoryServices(NTDS)\LDAP New Connections/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.new.ssl.connections.sec"
  query: '\DirectoryServices(NTDS)\LDAP New SSL Connections/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.searches.sec"
  query: '\DirectoryServices(NTDS)\LDAP Searches/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.successful.binds.sec"
  query: '\DirectoryServices(NTDS)\LDAP Successful Binds/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.udp.operations.sec"
  query: '\DirectoryServices(NTDS)\LDAP UDP operations/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ldap.writes.sec"
  query: '\DirectoryServices(NTDS)\LDAP Writes/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.ntlm.binds.sec"
  query: '\DirectoryServices(NTDS)\NTLM Binds/sec'
- instance_label: "ntds.name"
  instance_name: "NTDS"
  measurement_label: "ntds.subtree.searches.sec"
  query: '\DirectoryServices(NTDS)\Subtree searches/sec'

Topic		Replies	Views
Active Directory perfmon counter in metricbeat Beats metricbeat	3	459	June 5, 2023
Metricbeat Perfmon metrics monitroing Beats metricbeat	4	733	January 9, 2018
Metricbeat / windows - perfmon counter Beats metricbeat	2	360	May 17, 2019
Could not get Windows Performance Counters since Metricbeats 7.3.0 Beats metricbeat	20	4939	January 16, 2020
Metricbeat + Windows perfmon counters sent in separate JSONs in disagreement with docs Beats metricbeat	2	411	May 9, 2018

Metricbeat Active Directory (AD) performance metrics (perfmon) yaml build

Related topics