Monitor packetbeat via Zabbix

(sheldon) #1

Hi, I am new to packetbeat and also ELK...I would like to ask is there any way to monitor packetbeat through Zabbix? or importing packetbeat to Zabbix? I am using Linux Centos 7.

(Aaron Mildenstein) #2

I think you'd have a hard time importing the volume of data that packetbeat can send into Zabbix.

That much data is much better searched after being inserted into Elasticsearch.

The average json document being sent to Elasticsearch (or Logstash) by packetbeat is going to have many fields, and Zabbix is designed to only capture 1 value per key (per host). To capture the entire json document, or even just the major fields, would involve sending an equal number of "host:key:value" sets, which is how an item is defined in Zabbix.

The Zabbix output plugin for Logstash can send a few events to Zabbix (hasn't been tested since Zabbix 2.x), but it is not suited to sending the entire stream for the reasons already cited. You'd do better using conditionals inside Logstash to catch certain conditions, and then send a single value/item to Zabbix, and then for only the conditions you care about. Or perhaps use the metrics plugin in Logstash and send the averaged data once per minute to Zabbix. The full stream (broken down into individual host:key:value items) is potentially more than Zabbix could handle. If there are 10 fields you want to keep from say, the http module from packetbeat, and you were receiving 1500 events per second total, that would be 15000 new values per second your Zabbix server would have to handle. That much would require a very large Zabbix setup (not impossible), and that might be the only thing that Zabbix instance would handle.

Zabbix is terrific at monitoring and alerting for a variety of things, particularly metric-based values. The Elastic Stack is great at ingesting huge amounts of data and being able to search through it, and aggregate it so it can be displayed and viewed in ways that lead to insights into your data. While it can be argued that there is overlap between the two in some areas, it is best to use them for their respective strengths. Having been a Zabbix user for nearly a decade, I would not recommend using it to capture and alert on packetbeat data, unless you first reduce it down in some way (as mentioned with the metric filter in Logstash). Zabbix could be made to alert and/or trend on that data, and that's a much better use case for it.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.