Metricbeat - Socket summary TCP established filtered by port

Hello everyone,

I have a ELK stack server which receives metrics from several servers, but one of them has a specific application that listens on port TCP/8443. Im aware of the system module of Metricbeats, which supports a metricset called Socket. This module has a field called system.socket.summary.tcp.all.established , that tells me the amount of established TCP connections of the server, but it does not orders those connections by port, just shows me the whole number. I would like to get the amount of TCP connections established against port 8443 TCP on my server, but I do not see anyway to achieve that.

Any ideas?

Im not a native english speaker, sorry for my gramatical errors.

Hi @IT_Sniper!

Can't you use system.socket.local.port of System fields | Metricbeat Reference [7.13] | Elastic?

Hi!

I can see that field, but how can I use it to get established connections? In the Discover page I use this filter: system.socket.local.port : 8443 but i do not see any other field useful for me to achieve what i want. How should i proceed? I use the Discover page but in the end i want to implement this using a Metric visualization in a Dashboard.

Hi again?

Do you see this field getting populated? If you look for system.socket.local.port in general what values do you see?

Yes, i see the field getting populated by the different ports that the server is listening to. 8443 is one of them, i also see ports 10000, 32987, and others. I will upload an image of what i see in the fields.

image

Ok, so can you filter only to the events that are about 8443 and sum?

By doing that i get the sum of all the connections established on port 8443 in the time range, right? I need the number of the connections that are established and running right now. My metric would be something like the output of this command:

netstat -an|grep ESTABLISHED | grep -w 8443 | wc -l

I know its a bit tricky... but sometimes im asked by my superiors to tell them the amount of clients connected to the app at a given MOMENT and if we get this to work it would be really useful.

OK I see, if you apply this count approach on date histogram won't see the timeline of open connections while time evolves?

I followed your indications and i got these results:

These are the amount of TCP established connections per minute, splited by minute using the Date Histogram.

If I filter just using local.port = 8443 and sum, i would get the number of events generated against port 8443, but if one client generates several events against that port, it would count them separately, although its the same client, so I need a field that its unique with every client and i would use that field to do the filtering.

What about system.socket.remote.port? Its very rare to have two clients with the same source port, so what if i do a filter using local.port = 8443 and remote.port = * and count them in a 1 minute range, or should i use unique count instead of count? I suppose i should use Unique count so i do not count the same source port twice, but im still learning how to use ELK and i do not know the difference between each aggregation type.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.