Pandora FMS Tech blog

Light monitoring with Elastic Metricbeat

by | Last updated Jul 18, 2023 | Community, Servers

light monitoring

Light monitoring with Elastic Metricbeat: an alternative vision

Since Pandora FMS version 7.0 NG 712, thanks to the integration with Elastic, we have drastically improved the system of storage and visualization of records or logs, which allows us to increase the growth and speed in the presentation of information. But wait, there is still more to talk about before I go on to describe Light Monitoring…

Elasticsearch with Light Monitoring

Light Monitoring versus Monitoring

With Pandora FMS you will not have a simple Monitoring but rather a Robust Monitoring; we work tirelessly with our sights set on monitoring thousands of devices, in a massive way. However, flexibility is part of our name. Therefore, in addition to the improvements in version 712, in version 7.0 NG 717 we added a new component: SyslogServer.

This way, Pandora FMS gathers all the unified information to deliver it to a Logstash/ElasticSearch server, previously configured to have a powerful search and presentation tool. At graphic level the results are impressive and we will always have everything centralized in Pandora FMS console.

Pandora FMS, LogStash and ElasticSearch Interactions

ElasticSearch is programmed in Java language and uses Apache Lucene to “swallow” all kinds of information we provide; it is like a boiler that “burns and produces results”, regardless of the type of “fuel” we use.

Now let’s talk about Light Monitoring

Light Monitoring is a new trend for small businesses or individuals who want or are interested in specific points in application monitoring, for example. Let’s go to something simpler: let’s say we need to know the IP address of a computer. To do this, we’ll use any of the popular dynamic DNS services. Are we monitoring? Well, no, we’ll just be using a service.

Let’s go further, by placing on our website a subdomain with a small program written in PHP and HTML, which will receive a message from a software agent that we will install on the machine to supervise. All this will be stored in a database, which will allow us to pay not only the last IP address but also how often this address changes -or if it stays the same- in 5-minute intervals; if the time exceeds that measure we will assume that there is no connection (or something worse), which will allow us to make a rudimentary alarm, such as sending by email the corresponding notice.

We will call this example “Light Monitoring”. Small businesses and individuals often need these kinds of services, or a few more without exceeding a dozen. We are aware of this sector of small and medium enterprises, where it is even more practical a Light Monitoring or, to delegate to third parties a remote monitoring outside their facilities.

Lightweight Monitoring with Beat

Beat is the key name for a set of programs that deliver data directly to ElasticSearch and/or Logstash and therefore act as a Software agent, but instead of being of general purpose, like those of Pandora FMS, they are of specific purpose each one and every day they increase in variety, because they are open to contributions.

At the time of writing this article, there were the following on their official website, and we briefly describe each of them:

  • Auditbeat: to keep track and control of Linux kernel events, as well as file modifications. It is able to retain messages that you have not sent in case there is no connection to our ElasticSearch server. This feature also accompanies the other products in this list.
  • Filebeat: although its name does not refer to normal files, but to records or logs. It comes ready to detect and send auditd, Apache, NGINX, System, MySQL and more, either on real machines or in containers such as Docker. You have the option of sending them either to ElasticSearch and/or Logstash, which we alluded to at the beginning.
  • Heartbeat: to know if they are online by means of ping, but in an extended concept, not only ICMP but also TCP, and HTTP or TLS. You can also authenticate and go through any proxy. Yes, in the strict sense of the definition -which we all know- that is not a ping service, but the good thing about free software is that we can program it as we need it. Delivery to ElasticSearch and/or Logstash.
  • Metricbeat: which we will discuss in detail.
  • Packetbeat: it also works with ElasticSearch and/or Logstash and is in charge of capturing the traffic of our network, determining the protocol used and relating requests and answers, and then extracting fields such as time and status, to group them in a suitable format before sending them. It also works as a library, so our Go language programs will have an excellent tool or we can create our own protocol detectors (it is already integrated to detect traffic from databases such as MySQL, PostgreSQL, MongoDB and more).
  • Winlogbeat: it is analogous to Filebeat, but applied only and exclusively to all events of the Windows® operating system.

All Beats use scripts written in Python 2.7.9 with virtualenv to generate configuration files and documentation for them.

Metricbeat

We have already talked about the metrics that really matter and we know they are multi-colored. Metricbeat will therefore collect them for us by means of two components: modules and metricsets.

The modules specify the service on which the metric is to be collected, how to connect to that service and how often to make the query. As each service can return many values, Metricbeat groups them into a set of metrics in a standardized format before sending them. Even if you do not receive an effective response after several attempts, Metricbeat will always return a report indicating the bug.

Metricbeat will deliver all collected data to our server, which we will have installed with the command “sudo apt-get install elasticsearch logstash kibana” (in the case of Debian). Bear in mind that we must also install Kibana, a tool to graph the processed information, and it is the equivalent to Pandora FMS console.

We summarize the three components by their configuration files:

  • “/etc/kibana/kibana.yml”: “server.host” y “elasticsearch.url”.
  • “/etc/elasticsearch/elasticsearch.yml”: “network.host”.
  • “/etc/logstash/logstash.yml”: “http.host”

Then we will use systemctl, to enable them at the start of the machine and start them once, to install the nodes or devices for light monitoring.

For them we execute “sudo apt-get install metricbeat” and configure the file “/etc/metricbeat/metricbeat.yml”, where we will add the IP address of the server, protocol, user and password. It is very important to start the service with “systemctl start metricbeat.service”. That would be very general, and in this link you will be able to read the complete configuration information.

Secure communication with Metricbeats

Pandora FMS has its own communication protocol, called “Tentacle”, to ensure that all our data and information do not fall into the hands of third parties during transport. Metricbeat uses normalized protocols such as HTTPS, which we already know how to configure by means of plain text files. We must make sure that the passwords stored are encrypted in these files; for this, Metricbeat offers the Secrets keystore utility:

  • “metricbeat keystore create: it initializes storage.
  • “metricbeat keystore add”: we add a password to our list.
  • To pass directly a password stored in a file we will use the previous option with the –stdin option and the pipe command; for example, “cat /etc/fichero.txt | metricbeat keystore add key_name –stdin”.
  • The key_name will be used as ${key_name} in the configuration files, for Metricbeat to decrypt the password and send it to communicate with our ElasticSearch and/or Logstash server.

Scope of Light Monitoring

However, we foresee the arrival of more Light Monitoring options and we will be aware in order to bring you news. In the meantime, please contact us for further information, questions or comments about monitoring – see you soon!

Shares