Introduction
Code on Github: Elasticsearch and Beats
We will setup Metricbeat with Elasticsearch and Kibana. If you do not have Elasticsearch and Kibana set up yet, then follow these instructions.
This video assumes you are using Publicly Signed Certificates. If you are using Self Signed Certificates, go here TBD.
Requirements
A running instance of Elasticsearch and Kibana.
An instance of another Ubuntu 20.04 server running any kind of service.
Steps
Step 1 - Download Metricbeat [01:10]
On the Ubuntu machine that will run metricbeat, run these commands to download dependencies:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg;
echo 'deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main' | sudo tee /etc/apt/sources.list.d/elastic-8.x.list;
apt-get install -y apt-transport-https;
apt-get install -y metricbeat;
Step 2 - Configure Metricbeat [02:20]
Edit these fields for the /etc/metricbeat.yml
setup.kibana:
host: "https://<kibana-domain>:<kibana-port>"
output.elasticsearch:
hosts: ["<elasticsearch-domain>:<elasticsearch-port>"]
protocol: "https"
username: "elastic"
password: "<your elastic password>"
Completed metricbeat.yml can be found here
IMPORTANT - we are using the elastic super user for the initial set up and configuration. We will downgrade the privileges later.
Then test your configuration with these commands:
/usr/share/metricbeat/bin/metricbeat test config -c /etc/metricbeat/metricbeat.yml --path.data /var/lib/metricbeat --path.home /usr/share/metricbeat
/usr/share/metricbeat/bin/metricbeat test output -c /etc/metricbeat/metricbeat.yml --path.data /var/lib/metricbeat --path.home /usr/share/metricbeat
You should see something like this:
Verify metricbeat configuration
Step 3 - Setup Metricbeat [08:00]
Now run this command to set up metricbeat datastreams and views in Elasticsearch and Kibana:
/usr/share/metricbeat/bin/metricbeat setup -c /etc/metricbeat/metricbeat.yml --path.data /var/lib/metricbeat --path.home /usr/share/metricbeat
Once the command finishes, go to Kibana Menu and visit Dashboard to see many pre-made dashboards.
Step 4 - Create a Publishing User [10:50]
Create Role
In Kibana, go to Stack Management > Roles > Create role. Then fill out these fields:
Role name: metricbeat-user
Cluster privileges: monitor read_ilm
Indices: metricbeat-*
Privileges: create_doc
Create User
In Kibana, go to Stack Management > Users > Create user. Then fill out these fields:
Username: metric
Full name: metric
Email address: anything@anything.com
Password: anything
Roles: metricbeat-user editor
Create API Key for User
In Kibana, go to Dev Tools > Console. Then run this command:
POST /_security/api_key/grant
{
"grant_type": "password",
"username": "metric",
"password": "anything",
"api_key": {
"name": "metric"
}
}
This should produce a result like:
Metricbeat user token
Edit the /etc/metricbeat/metricbeat.yml by commenting out the elastic username and password and enabling the api_key like so:
output.elasticsearch:
...etc...
api_key: "${ES_API_KEY}"
#username: "elastic"
#password: ""
...etc...
We will be using the metricbeat keystore to load secrets for run time. Now run this command to set the ES_API_KEY keystore variable:
/usr/share/metricbeat/bin/metricbeat keystore add ES_API_KEY -c /etc/metricbeat/metricbeat.yml --path.data /var/lib/metricbeat --path.home /usr/share/metricbeat
Press enter and when prompted, paste in <id>:<api_key> where the <id> and the <api_key> are the values from the user token response you got previously.
Step 5 - Run Metricbeat [18:00]
systemctl enable metricbeat;
systemctl start metricbeat;
In a moment, you should start seeing results in Kibana in either Discover, Observability, Stack Management > Index Management > Datastream, Dashboard > Select a Metricbeat dashboard.