Elasticsearch is an open-source search server, based on the
Lucene search library. It runs in a Java virtual
machine on top of a number of operating systems. The elasticsearch receiver
collects node- and cluster-level telemetry from your Elasticsearch instances.
For more information, see
elasticsearch.org.
Prerequisites
To collect and ingest Elasticsearch logs and metrics, you must install Ops Agent version 2.10.0 or higher.
This receiver supports Elasticsearch versions 7.9 and higher.
Configure your Elasticsearch instance
If you enable Elasticsearch security
features,
you must configure a user with the monitor or manage cluster
privilege.
Configure the Ops Agent for Elasticsearch
Following the guide for Configuring the Ops Agent, add the required elements to collect logs and metrics from your Elasticsearch instances, and restart the agent.
Example configuration
The following command creates the configuration file to collect and ingest logs and metrics for Elasticsearch and restarts the Ops Agent on Linux.
sudo tee /etc/google-cloud-ops-agent/config.yaml > /dev/null << EOF
logging:
receivers:
elasticsearch_json:
type: elasticsearch_json
elasticsearch_gc:
type: elasticsearch_gc
service:
pipelines:
elasticsearch:
receivers:
- elasticsearch_json
- elasticsearch_gc
metrics:
receivers:
elasticsearch:
type: elasticsearch
service:
pipelines:
elasticsearch:
receivers:
- elasticsearch
EOF
sudo service google-cloud-ops-agent restart
Configure logs collection
To ingest logs from Elasticsearch, you must create receivers for the logs that Elasticsearch produces and then create a pipeline for the new receivers.
To configure a receiver for your elasticsearch_json logs, specify the
following fields:
| Field | Default | Description |
|---|---|---|
type |
The value must be elasticsearch_json. |
|
include_paths |
[/var/log/elasticsearch/*_server.json, /var/log/elasticsearch/*_deprecation.json, /var/log/elasticsearch/*_index_search_slowlog.json, /var/log/elasticsearch/*_index_indexing_slowlog.json, /var/log/elasticsearch/*_audit.json] |
The log files to read. A wild card, (*), can be used in the paths. |
exclude_paths |
The log files to exclude, if include_paths contains a glob or directory. |
|
record_log_file_path |
false |
If set to true, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the agent.googleapis.com/log_file_path label. When using a wildcard, only the path of the file from which the record was obtained is recorded. |
wildcard_refresh_interval |
60s |
The interval at which wildcard file paths in include_paths are refreshed. Given as a time interval parsable by time.ParseDuration. Must be a multiple of 1s. |
To configure a receiver for your elasticsearch_gc logs, specify the following
fields:
| Field | Default | Description |
|---|---|---|
type |
Must be elasticsearch_gc. |
|
include_paths |
[/var/log/elasticsearch/gc.log] |
The log files to read. |
exclude_paths |
[] |
The log files to exclude, if include_paths contains a glob or directory. |
record_log_file_path |
false |
If set to true, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the agent.googleapis.com/log_file_path label. When using a wildcard, only the path of the file from which the record was obtained is recorded. |
wildcard_refresh_interval |
60s |
The interval at which wildcard file paths in include_paths are refreshed. Given as a time interval parsable by time.ParseDuration. Must be a multiple of 1s. |
What is logged
The logName of the elasticsearch_json and elasticsearch_gc logs are
derived from the receiver IDs specified in the configuration. Detailed fields
inside the LogEntry
are as follows.
elasticsearch_json
These logs contain the following fields in the
LogEntry:
| Field | Type | Description |
|---|---|---|
jsonPayload.component |
string | The component of Elasticsearch that emitted the log |
jsonPayload.type |
string | The type of log, indicating which log the record came from (e.g. server indicates this LogEntry came from the server log) |
jsonPayload.cluster.name |
string | The name of the cluster emitting the log record |
jsonPayload.cluster.uuid |
string | The UUID of the cluster emitting the log record |
jsonPayload.node.name |
string | The name of the node emitting the log record |
jsonPayload.node.uuid |
string | The UUID of the node emitting the log record |
jsonPayload.message |
string | Log message |
severity |
string (LogSeverity) |
Log entry level (translated) |
timestamp |
string (Timestamp) |
Time the entry was logged |
Log entries don't contain any fields that are blank or missing.
elasticsearch_gc
These logs contain the following fields in the
LogEntry:
| Field | Type | Description |
|---|---|---|
jsonPayload.gc_run |
number | The run of the garbage collector |
jsonPayload.message |
string | The log message |
jsonPayload.type |
string | The type of the log record |
timestamp |
string (Timestamp) |
Time the entry was logged |
Log entries don't contain any fields that are blank or missing.
Configure metrics collection
To collect metrics from Elasticsearch, you must create a receiver for Elasticsearch metrics and then create a pipeline for the new receiver. To configure a receiver for your Elasticsearch metrics, specify the following fields:
| Field | Default | Description |
|---|---|---|
type |
The value must be elasticsearch. |
|
endpoint |
http://localhost:92002 |
The base URL for the Elasticsearch REST API. |
collection_interval |
60s |
A time.Duration value, such as 30s or 5m. |
username |
Username for authentication with Elasticsearch. Required if password is set. |
|
password |
Password for authentication with Elasticsearch. Required if username is set. |
|
insecure |
true |
Sets whether or not to use a secure TLS connection. If set to false, then TLS is enabled. |
insecure_skip_verify |
false |
Sets whether or not to skip verifying the certificate. If insecure is set to true, then the insecure_skip_verify value is not used. |
cert_file |
Path to the TLS certificate to use for mTLS-required connections. | |
key_file |
Path to the TLS key to use for mTLS-required connections. | |
ca_file |
Path to the CA certificate. As a client, this verifies the server certificate. If empty, the receiver uses the system root CA. |
What is monitored
The following table provides the list of metrics that the Ops Agent collects from the Elasticsearch instance.
| Metric type | |
|---|---|
| Kind, Type Monitored resources |
Labels |
workload.googleapis.com/elasticsearch.cluster.data_nodes
|
|
GAUGE, INT64gce_instance |
|
workload.googleapis.com/elasticsearch.cluster.health
|
|
GAUGE, INT64gce_instance |
status
|
workload.googleapis.com/elasticsearch.cluster.nodes
|
|
GAUGE, INT64gce_instance |
|
workload.googleapis.com/elasticsearch.cluster.shards
|
|
GAUGE, INT64gce_instance |
state
|
workload.googleapis.com/elasticsearch.node.cache.evictions
|
|
CUMULATIVE, INT64gce_instance |
cache_name
|
workload.googleapis.com/elasticsearch.node.cache.memory.usage
|
|
GAUGE, INT64gce_instance |
cache_name
|
workload.googleapis.com/elasticsearch.node.cluster.connections
|
|
GAUGE, INT64gce_instance |
|
workload.googleapis.com/elasticsearch.node.cluster.io
|
|
CUMULATIVE, INT64gce_instance |
direction
|
workload.googleapis.com/elasticsearch.node.documents
|
|
GAUGE, INT64gce_instance |
state
|
workload.googleapis.com/elasticsearch.node.fs.disk.available
|
|
GAUGE, INT64gce_instance |
|
workload.googleapis.com/elasticsearch.node.http.connections
|
|
GAUGE, INT64gce_instance |
|
workload.googleapis.com/elasticsearch.node.open_files
|
|
GAUGE, INT64gce_instance |
|
workload.googleapis.com/elasticsearch.node.operations.completed
|
|
CUMULATIVE, INT64gce_instance |
operation
|
workload.googleapis.com/elasticsearch.node.operations.time
|
|
CUMULATIVE, INT64gce_instance |
operation
|
workload.googleapis.com/elasticsearch.node.shards.size
|
|
GAUGE, INT64gce_instance |
|
workload.googleapis.com/elasticsearch.node.thread_pool.tasks.finished
|
|
CUMULATIVE, INT64gce_instance |
statethread_pool_name
|
workload.googleapis.com/elasticsearch.node.thread_pool.tasks.queued
|
|
GAUGE, INT64gce_instance |
thread_pool_name
|
workload.googleapis.com/elasticsearch.node.thread_pool.threads
|
|
GAUGE, INT64gce_instance |
statethread_pool_name
|
Verify the configuration
You can use the Logs Explorer and Metrics Explorer to verify that you correctly configured the Elasticsearch receiver. It might take one or two minutes for the Ops agent to begin collecting telemetry.
To verify the logs are ingested, go to the Logs Explorer and run the following query to view the Elasticsearch logs:
resource.type="gce_instance"
logName=("projects/PROJECT_ID/logs/elasticsearch_json" OR "projects/PROJECT_ID/logs/elasticsearch_gc")
To verify the metrics are ingested, go to
Metrics Explorer
and run the following query in the MQL tab.
fetch gce_instance
| metric 'workload.googleapis.com/elasticsearch.node.operations.completed'
| align rate(1m)
| every 1m
What's next
For a walkthrough on how to use Ansible to install the Ops Agent, configure a third-party application, and install a sample dashboard, see the Install the Ops Agent to troubleshoot third-party applications video.