Get real-time insights from your application with Packetbeat & Elasticsearch 

www.elastic.co 2 In today’s program • Lots of JSON objects • A cow, an elk, a violin, a guitar and a set of drums • Anomaly detection via moving averages 

www.elastic.co 3 Tudor Golubenco twitter.com/tudor_g github.com/tsg I am 

www.elastic.co 4 I work for 

www.elastic.co 5 the company behind Elasticsearch Logstash Kibana 

www.elastic.co 6 also known as the ELK stack Photo  credit:  https://www.flickr.com/photos/lsmith2010/8215026548 

www.elastic.co 7 Open source culture Image  credit:  https://www.flickr.com/photos/tappnel/5798812875 • We live in GitHub • We talk Pull Requests • Conferences • Community • Blog posts 

www.elastic.co 8 Started an open source project Packetbeat 

www.elastic.co 9 We wanted to make Monitoring and troubleshooting tools for complex applications and infrastructures 

www.elastic.co 10 Idea look at the communication between services 

www.elastic.co 11 Capture network packets • Visibility into the infrastructure by • Passively listening to network packets • It doesn’t add latency • It cannot break your application Image  credit:  https://www.flickr.com/photos/bigdrumthump/3223280727 

www.elastic.co 12 Packet capturing 1.  Using  port  mirroring 2.  As  an  “agent” 

www.elastic.co 13 Sniffing from a technical PoV • libpcap (tcpdump), supports all Unix like systems • Winpcap, supports Windows • For Go, gopacket provides bindings and more • High speed API for packet capturing on Linux: af_packet Image  credit:  https://www.flickr.com/photos/57881779@N04/7930362242/ 

www.elastic.co 14 Decoding 

www.elastic.co 15 Matching requests and responses • Pipelining complicates matching the requests with the responses. 

www.elastic.co 16 Create a JSON object for each request-response pair HTTP  transaction GET  method Response  code Response  time 

www.elastic.co 17 SQL example SQL  method Query Error  message Bandwidth   information 

www.elastic.co 18 DNS example Query  type Domain  name Response  time 

www.elastic.co 19 Packetbeat: Overview 

www.elastic.co 20 There’s more to apps than packets Packetbeat   Listens  to  the  “beat”  of   the  network  packets. Topbeat   Listens  to  the  “beat”  of   the  operating  system   metrics. Image  credits:   https://www.flickr.com/photos/7147684@N03/921738874/   https://www.flickr.com/photos/bigdrumthump/3223280727   https://www.flickr.com/photos/jadeashleyphotography/6584949945/   https://www.flickr.com/photos/mitosettembremusica/2839965900/   Filebeat   Listens  to  the  “beat”  of   logs. Metricsbeat   Listens  to  the  internal   “beat”  of  systems  via   APIs. 

www.elastic.co 21 Topbeat • Like the Unix top command but sending the data periodically to Elasticsearch • Works also on Windows 

www.elastic.co 22 Topbeat system wide and per process stats CPU  “steal”  time Total  /  used  /  free   memory CPU  stats Per  process  stats CPU  time     consumed Process  pid,  name,   parent  pid,  etc. Memory  used 

www.elastic.co 23 Topbeat output objects File  system  stats Mount  point Device  name Total,  used,  free   disk  space 

www.elastic.co 24 Filebeat • A “Beat” based on the Logstash-Forwarder source code • Do one thing well: • Send log files to Logstash & Elasticsearch • Light on consumed resources • Easy to deploy on multiple platforms 

www.elastic.co 25 Filebeat JSON output The  log  message The  timestamp The  log  level 

www.elastic.co 26 Beats have libbeat in common • Go library • Provides common things for all Beats: • logging, service handling, configuration file handling, CLI flags • Outputs and filters Dev  guide  for  creating  a  new  Beat:  https://www.elastic.co/guide/en/beats/libbeat/current/index.html 

www.elastic.co 27 Deployment: directly to ES • Option 1: Insert directly into Elasticsearch via the bulk API • Security can be provided via Shield and HTTPs 

www.elastic.co 28 Deployment: Send to Logstash • Option 2: Insert via Logstash • Uses the Lumberjack protocol which offers security • Gives the opportunity of enriching or modifying the data 

www.elastic.co 29 Getting insights from the data • Elasticsearch aggregations • Split the data into buckets • Apply a function over the data • Freely combine them by nesting • Work with multiple shards Image  credit:  https://www.flickr.com/photos/sheeprus/4551642374/ 

www.elastic.co 30 Date histogram •Splits data in buckets of time 

www.elastic.co 31 Date histogram response 

www.elastic.co 32 Percentiles aggregation 95th percentile value means that 95% of the values are smaller than it 

www.elastic.co 33 Percentile aggregation response 

www.elastic.co 34 Percentile aggregation •Approximate values •T-digests algorithm by Ted Dunning •Accurate for small sets of values •More accurate for extreme percentiles 

www.elastic.co 35 Date histogram nested with percentiles 

www.elastic.co 36 Date_time + percentiles response 

www.elastic.co 37 Result 

www.elastic.co 38 Histogram by response time • Splits data in buckets by response time • [0-10ms), [10ms-20ms), … 

www.elastic.co 39 Latency histogram 

www.elastic.co 40 Add a date histogram 

www.elastic.co 41 Response times repartition 

www.elastic.co 42 Kibana config 

www.elastic.co 43 Slowest RPC methods •Combines terms and percentiles aggregations 

www.elastic.co 44 Terms aggregation • Buckets are dynamically built: one per unique value • By default: top 10 by document count • Approximate because each shard can have a different 

www.elastic.co 45 Order by 99th percentile 

www.elastic.co 46 • New in Elasticsearch 2.0 (currently in beta) • Work on the results of other aggregations Pipeline aggregations 

www.elastic.co 47 Derivative aggregation • Metric constantly growing • Take first order derivate to see the speed of growth 

www.elastic.co 48 Simple moving average • [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] • with a window size of 5: • (1 + 2 + 3 + 4 + 5) / 5 = 3 • (2 + 3 + 4 + 5 + 6) / 5 = 4 • (3 + 4 + 5 + 6 + 7) / 5 = 5 • etc. 

www.elastic.co 49 Exponentially weighted moving average • Older values become exponentially less important 

www.elastic.co 50 Moving average - dynamic thresholds • yellow - measured values • purple - moving average (ewma) • green - threshold, mean + (3 * standard deviation) 

www.elastic.co 51 Request Extended  stats  agg  for   mean  and  std   deviation Moving  averages   aggs  for  mean  and   std Bucket  script  agg Details:  https://www.elastic.co/blog/staying-­‐in-­‐control-­‐with-­‐moving-­‐averages-­‐part-­‐1 

www.elastic.co 52 Cyclic trends - anomalies • EWMA lags behind too much • The values constantly hit the threshold 

www.elastic.co 53 Cyclic trends - anomalies • Holt-Winters (triple exponential) model works better for seasonal data • Requires two periods to bootstrap the algorithm 

www.elastic.co 54 Thanks • Live demo: http://demo.elastic.co/packetbeat/ • Twitter: @tudor_g • Come by the booth, we have stickers!