Elasticsearch Logs Monitoring

Setup & Configuration

The Elasticsearch module is included with the Atatus Infra agent by default, please follow the below steps to enable.

1. Add the following lines in the file /etc/atatus-infra-agent/atatus.yml.

   copy

   logs_enabled: true
   

2. Copy the Elasticsearch example configuration file.

   copy

   cd /etc/atatus-infra-agent/conf.d/elasticsearch.d/
   sudo cp elasticsearch.yml.template elasticsearch.yml
   

3. Update the file /etc/atatus-infra-agent/conf.d/elasticsearch.d/elasticsearch.yml with below configurations.

   copy

   # Log section
   logs:
   
     # - type : (mandatory) type of log input source (audit / deprecation / gc / server / slowlog)
   
     - type: audit
     - type: deprecation
     - type: gc
     - type: server
     - type: slowlog
   

   copy

   # If you have custom elasticsearch log path, you can use below syntax
   
     # - type: (mandatory) type of log input source (audit / deprecation / gc / server / slowlog)
     #   paths: (mandatory) Set paths if type is file
     #   service: (mandatory) name of the service owning the log
     #   source: (mandatory) attribute that defines which integration is sending the log
   
   # Log section
   logs:
      - type: audit
        paths:
           - /var/log/elasticsearch/*_access.log
           - /var/log/elasticsearch/*_audit.log
           - /var/log/elasticsearch/*_audit.json
        source: elasticsearch
        service: elasticsearch
      - type: deprecation
        paths:
           - /var/log/elasticsearch/*_deprecation.log
           - /var/log/elasticsearch/*_deprecation.json
        source: elasticsearch
        service: elasticsearch
      - type: gc
        paths:
           - /var/log/elasticsearch/gc.log.[0-9]*
           - /var/log/elasticsearch/gc.log
        source: elasticsearch
        service: elasticsearch
      - type: server
        paths:
           - /var/log/elasticsearch/*_server.log
           - /var/log/elasticsearch/*_server.json
        source: elasticsearch
        service: elasticsearch
      - type: slowlog
        paths:
           - /var/log/elasticsearch/*_index_search_slowlog.log
           - /var/log/elasticsearch/*_index_indexing_slowlog.log
           - /var/log/elasticsearch/*_index_search_slowlog.json
           - /var/log/elasticsearch/*_index_indexing_slowlog.json
        source: elasticsearch
        service: elasticsearch
   

4. Restart the atatus infrastructure agent.

   copy

   sudo service atatus-infra-agent restart