Elasticsearch

Elasticsearch is an open-source search server, based on the Lucene search library. It runs in a Java virtual machine on top of a number of operating systems. The elasticsearch receiver collects node- and cluster-level telemetry from your Elasticsearch instances. For more information, see elasticsearch.org.

Prerequisites

To collect and ingest Elasticsearch logs and metrics, you must install Ops Agent version 2.10.0 or higher.

This receiver supports Elasticsearch versions 7.9 and higher.

Configure your Elasticsearch instance

If you enable Elasticsearch security features, you must configure a user with the monitor or manage cluster privilege.

Configure the Ops Agent for Elasticsearch

Following the guide for Configuring the Ops Agent, add the required elements to collect logs and metrics from your Elasticsearch instances, and restart the agent.

Example configuration

The following command creates the configuration file to collect and ingest logs and metrics for Elasticsearch and restarts the Ops Agent on Linux.

sudo tee /etc/google-cloud-ops-agent/config.yaml > /dev/null << EOF
logging:
  receivers:
    elasticsearch_json:
      type: elasticsearch_json
    elasticsearch_gc:
      type: elasticsearch_gc
  service:
    pipelines:
      elasticsearch:
        receivers:
          - elasticsearch_json
          - elasticsearch_gc
metrics:
  receivers:
    elasticsearch:
      type: elasticsearch
  service:
    pipelines:
      elasticsearch:
        receivers:
          - elasticsearch
EOF
sudo service google-cloud-ops-agent restart

Configure logs collection

To ingest logs from Elasticsearch, you must create receivers for the logs that Elasticsearch produces and then create a pipeline for the new receivers.

To configure a receiver for your elasticsearch_json logs, specify the following fields:

Field Default Description
type The value must be elasticsearch_json.
include_paths [/var/log/elasticsearch/*_server.json, /var/log/elasticsearch/*_deprecation.json, /var/log/elasticsearch/*_index_search_slowlog.json, /var/log/elasticsearch/*_index_indexing_slowlog.json, /var/log/elasticsearch/*_audit.json] The log files to read. A wild card, (*), can be used in the paths.
exclude_paths The log files to exclude, if include_paths contains a glob or directory.
record_log_file_path false If set to true, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the agent.googleapis.com/log_file_path label. When using a wildcard, only the path of the file from which the record was obtained is recorded.
wildcard_refresh_interval 60s The interval at which wildcard file paths in include_paths are refreshed. Given as a time interval parsable by time.ParseDuration. Must be a multiple of 1s.


To configure a receiver for your elasticsearch_gc logs, specify the following fields:

Field Default Description
type Must be elasticsearch_gc.
include_paths [/var/log/elasticsearch/gc.log] The log files to read.
exclude_paths [] The log files to exclude, if include_paths contains a glob or directory.
record_log_file_path false If set to true, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the agent.googleapis.com/log_file_path label. When using a wildcard, only the path of the file from which the record was obtained is recorded.
wildcard_refresh_interval 60s The interval at which wildcard file paths in include_paths are refreshed. Given as a time interval parsable by time.ParseDuration. Must be a multiple of 1s.

What is logged

The logName of the elasticsearch_json and elasticsearch_gc logs are derived from the receiver IDs specified in the configuration. Detailed fields inside the LogEntry are as follows.

elasticsearch_json
These logs contain the following fields in the LogEntry:

Field Type Description
jsonPayload.component string The component of Elasticsearch that emitted the log
jsonPayload.type string The type of log, indicating which log the record came from (e.g. server indicates this LogEntry came from the server log)
jsonPayload.cluster.name string The name of the cluster emitting the log record
jsonPayload.cluster.uuid string The UUID of the cluster emitting the log record
jsonPayload.node.name string The name of the node emitting the log record
jsonPayload.node.uuid string The UUID of the node emitting the log record
jsonPayload.message string Log message
severity string (LogSeverity) Log entry level (translated)
timestamp string (Timestamp) Time the entry was logged

Log entries don't contain any fields that are blank or missing.

elasticsearch_gc
These logs contain the following fields in the LogEntry:

Field Type Description
jsonPayload.gc_run number The run of the garbage collector
jsonPayload.message string The log message
jsonPayload.type string The type of the log record
timestamp string (Timestamp) Time the entry was logged

Log entries don't contain any fields that are blank or missing.

Configure metrics collection

To collect metrics from Elasticsearch, you must create a receiver for Elasticsearch metrics and then create a pipeline for the new receiver. To configure a receiver for your Elasticsearch metrics, specify the following fields:

Field Default Description
type The value must be elasticsearch.
endpoint http://localhost:92002 The base URL for the Elasticsearch REST API.
collection_interval 60s A time.Duration value, such as 30s or 5m.
username Username for authentication with Elasticsearch. Required if password is set.
password Password for authentication with Elasticsearch. Required if username is set.
insecure true Sets whether or not to use a secure TLS connection. If set to false, then TLS is enabled.
insecure_skip_verify false Sets whether or not to skip verifying the certificate. If insecure is set to true, then the insecure_skip_verify value is not used.
cert_file Path to the TLS certificate to use for mTLS-required connections.
key_file Path to the TLS key to use for mTLS-required connections.
ca_file Path to the CA certificate. As a client, this verifies the server certificate. If empty, the receiver uses the system root CA.

What is monitored

The following table provides the list of metrics that the Ops Agent collects from the Elasticsearch instance.

Metric type 
Kind, Type
Monitored resources
Labels
workload.googleapis.com/elasticsearch.cluster.data_nodes
GAUGEINT64
gce_instance
 
workload.googleapis.com/elasticsearch.cluster.health
GAUGEINT64
gce_instance
status
workload.googleapis.com/elasticsearch.cluster.nodes
GAUGEINT64
gce_instance
 
workload.googleapis.com/elasticsearch.cluster.shards
GAUGEINT64
gce_instance
state
workload.googleapis.com/elasticsearch.node.cache.evictions
CUMULATIVEINT64
gce_instance
cache_name
workload.googleapis.com/elasticsearch.node.cache.memory.usage
GAUGEINT64
gce_instance
cache_name
workload.googleapis.com/elasticsearch.node.cluster.connections
GAUGEINT64
gce_instance
 
workload.googleapis.com/elasticsearch.node.cluster.io
CUMULATIVEINT64
gce_instance
direction
workload.googleapis.com/elasticsearch.node.documents
GAUGEINT64
gce_instance
state
workload.googleapis.com/elasticsearch.node.fs.disk.available
GAUGEINT64
gce_instance
 
workload.googleapis.com/elasticsearch.node.http.connections
GAUGEINT64
gce_instance
 
workload.googleapis.com/elasticsearch.node.open_files
GAUGEINT64
gce_instance
 
workload.googleapis.com/elasticsearch.node.operations.completed
CUMULATIVEINT64
gce_instance
operation
workload.googleapis.com/elasticsearch.node.operations.time
CUMULATIVEINT64
gce_instance
operation
workload.googleapis.com/elasticsearch.node.shards.size
GAUGEINT64
gce_instance
 
workload.googleapis.com/elasticsearch.node.thread_pool.tasks.finished
CUMULATIVEINT64
gce_instance
state
thread_pool_name
workload.googleapis.com/elasticsearch.node.thread_pool.tasks.queued
GAUGEINT64
gce_instance
thread_pool_name
workload.googleapis.com/elasticsearch.node.thread_pool.threads
GAUGEINT64
gce_instance
state
thread_pool_name

Verify the configuration

You can use the Logs Explorer and Metrics Explorer to verify that you correctly configured the Elasticsearch receiver. It might take one or two minutes for the Ops agent to begin collecting telemetry.

To verify the logs are ingested, go to the Logs Explorer and run the following query to view the Elasticsearch logs:

resource.type="gce_instance"
logName=("projects/PROJECT_ID/logs/elasticsearch_json" OR "projects/PROJECT_ID/logs/elasticsearch_gc")


To verify the metrics are ingested, go to Metrics Explorer and run the following query in the MQL tab.

fetch gce_instance
| metric 'workload.googleapis.com/elasticsearch.node.operations.completed'
| align rate(1m)
| every 1m

What's next

For a walkthrough on how to use Ansible to install the Ops Agent, configure a third-party application, and install a sample dashboard, see the Install the Ops Agent to troubleshoot third-party applications video.