Elastic Stack 8 - Metricbeat to monitor hardware usage

Beats logo

We have previously seen how to install Elastic Stack Part I and now we will see how to monitor hardware usage with Metricbeat.

This module will allow us to monitor CPU, memory, Inbound/Outbound traffic and disk utilization with graphical views.

So let's see how to install it on Windows and GNU/Linux systems.

Metricbeat Architecture

SIEM | Metricbeat schema with elasticsearch and kibana
Metricbeat Architecture.

Installing Metricbeat

I'll install Metricbeat on every machines I want to monitor in Elasticsearch.

Windows

Microsoft Logo

Download Metricbeat

  • Connect to official website and download zip package :
https://www.elastic.co/downloads/beats/metricbeat
  • Once downloaded, unzip the file to C:\Program Files\metricbeat :
Elasticsearch | Windows Explorer, C:\Program Files\Metricbeat
  • Edit metricbeat.yml and replace “X.X.X.X” address by your own Elasticsearch server address and “elastic_password;)” with the elastic user account password :
# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://X.X.X.X:5601"
  ssl.verification_mode: none
  username: "elastic"
  password: "elastic_password;)"

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["X.X.X.X:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  ssl.verification_mode: none

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "elastic_password;)"

Install Metricbeat

  • Open PowerShell command with administrator rights
Windows | Open Windows PowerShell with administrator rights
  • Go to C:\Program Files\metricbeat directory :
PS C:\> cd "C:\Program Files\metricbeat"
  • Check metricbeat.yml file :
PS C:\> .\metricbeat.exe test config -c .\metricbeat.yml
  • Install Metricbeat service :
PS C:\> powershell -executionpolicy Unrestricted -file .\install-service-metricbeat.ps1
  • Set up predefined assets for parsing, indexing, and visualizing :
PS C:\> .\metricbeat.exe setup -e
  • Start Metricbeat service :
PS C:\> Start-Service metricbeat

GNU/Linux

Debian Logo

Install Metricbeat

  • Install apt-transport-https and prerequisites packages :
root@host:~# apt update && apt-get install apt-transport-https gnupg curl wget
  • Import the Elasticsearch PGP key :
root@host:~# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
  • Save the repository definition :
root@host:~# echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list
  • Install Metricbeat package :
root@host:~# apt update && apt-get install metricbeat

/etc/metricbeat/metricbeat.yml

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://X.X.X.X:5601"
  ssl.verification_mode: none
  username: "elastic"
  password: "elastic_password;)"

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["X.X.X.X:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  ssl.verification_mode: none

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "elastic_password;)"
  • Start the Metricbeat service :
root@host:~# systemctl start metricbeat
  • Make it start at boot :
root@host:~# systemctl enable metricbeat

Kibana

Check indices

  • Open Firefox and go to https://KIBANA_IP_SERVER:5601/ address, then from main menu, go to Management > Stack Management :
Kibana | Main menu, Management, Stack Management
  • From Stack Management go to Data > Index Management :
Kibana | Main menu, Management, Stack Management, Data, Index Management
  • You should see your indices :
Kibana | Indices

Dashboard

There are a lot of predefined dashboard for Metricbeat we will see how to use them.

  • Open main menu and go to Kibana > Dashboard :
Kibana | Main Menu, Dashboard
  • Type Metricbeat and choose a Dashboard :
Kibana | Metricbeat Dashboard
  • The [Metricbeat System] Overview ECS dashboard :
Kibana | Metricbeat [Metricbeat System] Overview ECS Dashboard
  • The [Metricbeat System] Host overview ECS dashboard :
Kibana | Metricbeat [Metricbeat System] Host overview ECS
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :