{ } CC-BY-ND 4.0
For Windows users...
• SSC Serv
– Commercial product
– Uses collectd protocol
– Disk, df, CPU, Interface, Terminal Services
– Can monitor any performance counter available via
the Performance Data Handles interface.
– http://ssc-serv.com
5
{ } CC-BY-ND 4.0
Configuring collectd...
• Intervals are configurable
– Global
– Per Plugin
13
Slide 14
Slide 14 text
{ } CC-BY-ND 4.0
Plugins
• df, disk
– Disk usage statistics.
• load
– The 1m, 5m, and 15m load averages
• memory
– free, buffered, cached, used, etc.
• interface
– Per-interface network usage/traffic statistics.
14
Slide 15
Slide 15 text
{ } CC-BY-ND 4.0
Plugins
• ConnTrack
– Tracks the number of entries in Linux's connection
tracking table.
• ContextSwitch
– Collects the number of context switches done by the
operating system.
15
Slide 16
Slide 16 text
{ } CC-BY-ND 4.0
Plugins
• DBI/PostgreSQL/Oracle
– Returns values from queries.
• Entropy
– Collects the available entropy on a system
16
Slide 17
Slide 17 text
{ } CC-BY-ND 4.0
Plugins
• memcached
– Collects the number of connections and requests
handled by the daemon, the CPU resources
consumed, number of items cached, number of
threads, and bytes sent and received.
• MySQL
– Connects to a MySQL db, issues a SHOW STATUS
command, and returns many of the variables.
17
Slide 18
Slide 18 text
{ } CC-BY-ND 4.0
Plugins
• Swap
– Collects the amount of memory currently written onto
hard disk (or whatever the system calls “swap”)
• TCPConns
– Counts the number of TCP connections to or from a
specified port. Results include each state: LISTEN,
ESTABLISHED, CLOSE_WAIT, etc.
18
{ } CC-BY-ND 4.0
IP Tables
• Per-rule byte and packet counters, selected by:
– Position (e.g. “the fourth rule in the ‘INPUT’ queue in
the ‘filter’ table”)
– Comment (using the “COMMENT” match).
• Low overhead
– Uses libiptc. Communicates with the kernel directly.
20
Slide 21
Slide 21 text
{ } CC-BY-ND 4.0
SNMP
• Uses Net-SNMP
• Use collectd to collect stats from:
– Switches
– Routers
– UPS
– Rack monitoring systems,
– and more!
21
CC-BY-ND 4.0
Alerting
You have all your data in
elasticsearch, now what ?
Slide 29
Slide 29 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Brian Murphy
Elasticsearch developer
Previously at Loggly and Splunk.
[email protected]
Slide 30
Slide 30 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Why ?
● No point in having the data unless you can act
on it.
● Dashboards are great for an overview but don’
t allow you to get notified when things go
wrong.
● The time something happens is as important
as what happens.
Slide 31
Slide 31 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Alerting vs Percolator ?
Percolator is fantastic at what it does but it has some limitations
● Only processes a single event at a time.
● No access to aggregations.
● No history of what was percolated and what matched.
Slide 32
Slide 32 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Anatomy of an Alert
An alert is defined by four key elements
● Schedule
● Input
● Condition
● Actions
Slide 33
Slide 33 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Schedule
Slide 34
Slide 34 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Schedule
The schedule defines when and how often an alert
should run.
● Every 5 mins (check the load on my production
web server)
● Every hour (count how many errors my database
logs contain)
● On the last day of the month (run a check to see if
my traffic has gone up from last month)
Slide 35
Slide 35 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Cron
Alert schedules can be defined by a cron
syntax.
● Great for people who know cron.
● Terrible for people who don’t.
Slide 36
Slide 36 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Cron
Cron syntax is very powerful but hard (at least for
me).
0 0,12 1 */2 *
Run every 12am and 12pm on the 1st day of every
2nd month.
* 12 16 * Mon
Run every minute during the 12th hour of Monday,
16th, but only if the day is the 16th of the month.
Slide 37
Slide 37 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Slide 38
Slide 38 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Simpler
We will support a simplified syntax for
defining schedules.
"hourly" : { "minute" : 30 }
Run every hour on the 30th minute.
"daily" : { "at" : [
"midnight", "noon", "17:00" ] }
Run at 00:00, 12:00 and 17:00 every day.
"interval" : "5m"
Run every 5 minutes.
Slide 39
Slide 39 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Input
Slide 40
Slide 40 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Input
The input generates or loads the data that
will be used by a running alert
● Run an aggregation on my collectd
index to get my load average over
the last 5 minutes.
● Count how many errors my log index
had for my database server.
● Run a date histogram aggregation to
get my web traffic for the last two
months.
Slide 41
Slide 41 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Input
Inputs can be (for now) elasticsearch
searches or static data.
Searches give you full access to the
elasticsearch query dsl and can span
multiple indices.
Searches can be templated with access to
two special variables
1. The time the alert ran.
2. The time the alert was
scheduled to run.
CC-BY-ND 4.0
CC-BY-ND 4.0
Condition
The condition decides whether the alert
actions should be executed
● Is the load result from the input over
a threshold.
● Does the count from the input mean
that I need to be paged?
● Is the trend in a date histogram
unexpected ?
CC-BY-ND 4.0
CC-BY-ND 4.0
Condition
Even simpler if you use on disk on indexed
scripts.
● "script" : "hit_checker"
"type" : "indexed"
"params" : { "threshold" :
5 }
Slide 47
Slide 47 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Actions
Slide 48
Slide 48 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Actions
The actions take the result of the alert and
deliver it to external and internal systems.
● Email the sysadmin to let him know
that load on the cluster is too high.
● Generate a pagerduty API call to all
database administrators.
● Index the result of the alert.
Slide 49
Slide 49 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Actions
The email and webhook actions support templating.
"email" : {
"to" : "[email protected]",
"subject" : "{{alert_name}} has triggered
with {{ctx.payload.hits.total}} results",
"body" : "The {{alert_name}} found errors
on {{#ctx.payload.aggregations.names}}
{{name}},
{{/ctx.payload.aggregations.name}}
servers.
"
}
Slide 50
Slide 50 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Actions
The email and webhook actions support templating.
"webhook" : {
"method" : "POST",
"url" : "http://host.domain/third-party-
system/{{alert_name}}",
"body" : "Encountered {ctx.payload.hits.
total}} errors"
}
Slide 51
Slide 51 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Alerts and elasticsearch
Slide 52
Slide 52 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Alerts and elasticsearch
Alerts are indexed elasticsearch documents.
Every time an alert runs an elasticsearch `alert_history`
document is generated in a time based index.
This document contains all the information from the alert
run along with whether or not the condition matched and
the status of the actions.
Slide 53
Slide 53 text
CC-BY-ND 4.0
CC-BY-ND 4.0
Alerts and elasticsearch
Since alerts and alert runs are indexed documents in
elasticsearch you can generate kibana dashboards of your
alerts and run alerts on alerts.
● Run an alert every day and check the number of
triggered alerts that failed to execute their actions
● Run an alert every day that checks that the expected
number of alerts ran.
● Run an alert that checks if the one node is triggering
alerts more than others.
Slide 54
Slide 54 text
CC-BY-ND 4.0
CC-BY-ND 4.0
When ?
Soon.
There will be a beta, if you are interested please let our
product team know.