1
00:00:00,370 --> 00:00:06,580
OK, so now it's set up Metrick bait and connected to our ElasticSearch server, and it in Gravano to

2
00:00:06,580 --> 00:00:09,370
set it up follows a very similar process to Volbeat.

3
00:00:09,400 --> 00:00:16,120
Metrick beat is better at reading the metrics, batches of the CPU, memory disk, etc., whereas Falbe

4
00:00:16,120 --> 00:00:21,190
is good for reading log files such as System Day, your web server or anything like that.

5
00:00:21,250 --> 00:00:27,140
Okay, so I'm going to install Wittrock based on my Windows server so you could install metric beat

6
00:00:27,160 --> 00:00:29,590
across multiple Windows servers if you wanted.

7
00:00:29,600 --> 00:00:31,720
Was to one just to show you the steps.

8
00:00:32,229 --> 00:00:38,890
This is my documentation, so I'm going to download Metrick from this website down here, Metrick Beats

9
00:00:38,900 --> 00:00:40,420
ElasticSearch website.

10
00:00:40,570 --> 00:00:43,990
I'm going to download the Windows Zip 64 bit.

11
00:00:43,990 --> 00:00:48,760
I find this the easiest to use because if you use the mouse all you have to manage permissions when

12
00:00:48,760 --> 00:00:50,260
you're updating the configuration file.

13
00:00:50,260 --> 00:00:53,500
So I can use that one, I just download that to my computer.

14
00:00:55,720 --> 00:00:57,250
Oh, open.

15
00:00:58,180 --> 00:01:04,720
And now extract that to a folder somewhere on my computer, I'm going to put on the day drive.

16
00:01:05,700 --> 00:01:08,040
And open when it's finished.

17
00:01:09,950 --> 00:01:13,250
Very good, close to that in that right.

18
00:01:13,340 --> 00:01:16,700
So open up the folder, incomes of Metrick, Big Watermill.

19
00:01:16,700 --> 00:01:17,740
We edit that file.

20
00:01:18,140 --> 00:01:25,310
It has a module's D folder showing which modules are available, whether they decide whether or not

21
00:01:25,310 --> 00:01:29,810
you can see in metric beat, the system module is enabled by default.

22
00:01:29,960 --> 00:01:30,490
Here we go.

23
00:01:30,530 --> 00:01:32,090
And we can do that.

24
00:01:32,790 --> 00:01:35,510
I'm using this code, so this is what it looks like.

25
00:01:35,510 --> 00:01:40,830
And I put CPU Memory Network Process Statistics Canada if you want.

26
00:01:40,850 --> 00:01:46,800
Anyway, so to manage metric based on Windows power, Warshel is the best use.

27
00:01:46,820 --> 00:01:54,050
So let's open up our show as administrator power show run as administrator.

28
00:01:54,170 --> 00:01:55,000
Very good.

29
00:01:56,510 --> 00:02:06,560
OK, let's look at the folder, the lead metric wait lists never go there, the files, so to see what

30
00:02:06,860 --> 00:02:10,940
modules we have, we can type metric based modules list.

31
00:02:14,250 --> 00:02:21,430
And it has listed all the modules, it's like falbe emergency system is enabled by default.

32
00:02:22,320 --> 00:02:30,350
I also want to enables the Windows module, which is the third copy that enabled Windows.

33
00:02:31,050 --> 00:02:33,000
OK, so we can check that list again.

34
00:02:33,810 --> 00:02:40,650
And if I scroll up enabled system on windows, you can always disable later on if you want to.

35
00:02:40,830 --> 00:02:44,490
OK, so let's look at the metric being Wimoweh.

36
00:02:45,900 --> 00:02:53,990
That the metric based configuration so similar, it looks in the modules file for AML files.

37
00:02:55,520 --> 00:02:58,550
I'm not using Kobana so I can get rid of that.

38
00:02:59,680 --> 00:03:02,470
I don't need to put in my elasticsearch i.p.

39
00:03:03,790 --> 00:03:05,110
Which is that?

40
00:03:06,680 --> 00:03:10,000
For this one, I'm not using cloud docker or Cubanos.

41
00:03:10,250 --> 00:03:11,840
I'm just going to comment those out.

42
00:03:12,060 --> 00:03:17,570
I will use this because the dashboard I will use at the end of the video will use some properties from

43
00:03:17,570 --> 00:03:17,850
here.

44
00:03:17,870 --> 00:03:21,200
So that's good processes at host metadata.

45
00:03:22,500 --> 00:03:24,060
And that is good.

46
00:03:24,900 --> 00:03:25,480
Safe.

47
00:03:25,990 --> 00:03:32,510
Very good now to install the service on Windows so we can use his power, shall command low profile

48
00:03:32,520 --> 00:03:39,720
execution policy bypassed and file the copy that will be running this fall here in our show.

49
00:03:39,960 --> 00:03:42,880
And so pist, that's the whole command there.

50
00:03:42,930 --> 00:03:45,280
And so that's installed.

51
00:03:45,480 --> 00:03:49,560
We'll look at task manager services and find Metric Bakht.

52
00:03:49,680 --> 00:03:52,500
They would go this metric beat there and it is currently stopped.

53
00:03:52,650 --> 00:03:55,380
What we can do is start it if we want to.

54
00:03:55,470 --> 00:04:00,210
But in my case, I'm not going to get any data arriving at myelocytic search server because my metric

55
00:04:00,210 --> 00:04:03,190
based service running my windows is on a different network to most search server.

56
00:04:03,330 --> 00:04:06,190
I need to whitelist the IP on my Lustick search server.

57
00:04:06,240 --> 00:04:11,850
So basically to knows my IP address from the perspective of ElasticSearch server, which is on the Internet.

58
00:04:11,860 --> 00:04:14,340
So this way to find that is type.

59
00:04:14,520 --> 00:04:16,769
What is my IP?

60
00:04:19,370 --> 00:04:28,070
And there we go so far, I go on to my ElasticSearch server and I pay tables, l I need to insert new

61
00:04:28,070 --> 00:04:29,690
rule for that IP address.

62
00:04:30,070 --> 00:04:35,000
OK, so the IP address was that excellent.

63
00:04:35,010 --> 00:04:36,560
So my pay tables.

64
00:04:36,570 --> 00:04:37,700
Well, there we go.

65
00:04:37,820 --> 00:04:40,520
Number four is now accepting from.

66
00:04:41,600 --> 00:04:46,840
Very good, that's been added number four there, like I said, now, that metric based service on my

67
00:04:46,850 --> 00:04:49,370
windows is pushing data to the elasticsearch server.

68
00:04:49,400 --> 00:04:54,370
I need to figure out what is the name of the index that the metric was using by default.

69
00:04:54,770 --> 00:05:02,480
I'm on my elasticsearch server and I should look at the indices and there is new uncowed metric based

70
00:05:02,480 --> 00:05:03,380
710.

71
00:05:03,380 --> 00:05:08,630
With the date, I will be getting a new data source for the metric beat index here.

72
00:05:08,660 --> 00:05:09,790
So open Carafano.

73
00:05:09,920 --> 00:05:11,420
I like data sources.

74
00:05:11,600 --> 00:05:13,040
I'm going to copy that.

75
00:05:13,190 --> 00:05:14,730
You're all there, though.

76
00:05:14,780 --> 00:05:23,240
Data sources at Data Source ElasticSearch, that's the euro and I'm going to call it metric based.

77
00:05:24,520 --> 00:05:28,960
OK, go down index name was something like that.

78
00:05:30,500 --> 00:05:37,250
And you seven 10 dot star, for example, time stamp is already correct, metric bait will create a

79
00:05:37,250 --> 00:05:40,790
time stamp field version is seven plus.

80
00:05:41,860 --> 00:05:44,690
Scientist, very good data source update.

81
00:05:45,610 --> 00:05:52,920
So let's go to explore and select that, and I can see there is some data.

82
00:05:53,470 --> 00:05:53,900
Excellent.

83
00:05:54,730 --> 00:05:57,400
rawData There's quite a lot of.

84
00:05:59,560 --> 00:06:03,060
It's from a Windows machine, that's the hostname there.

85
00:06:03,300 --> 00:06:09,280
OK, straight away I'm going to get a dashboard from the community, the dashboard to manage.

86
00:06:09,520 --> 00:06:16,330
And let's open up the Gryphon website dashboards and type in metric boot.

87
00:06:17,490 --> 00:06:21,510
So this is the one that I'll use it one one five, six, seven.

88
00:06:21,540 --> 00:06:22,380
Now, this is not a date.

89
00:06:22,410 --> 00:06:26,630
This is a very typical working with Gryffindor and all the different components you have to bring together.

90
00:06:26,640 --> 00:06:28,650
There'll be various things that are not up to date.

91
00:06:28,650 --> 00:06:33,960
So I'll install this anyway and go through the process of updating it so you can see how you might want

92
00:06:33,960 --> 00:06:34,440
to do that.

93
00:06:34,620 --> 00:06:40,070
You can see here this was written for the final version six and ElasticSearch five, six, eight.

94
00:06:40,080 --> 00:06:43,200
So it's quite a few versions ago anyway.

95
00:06:43,380 --> 00:06:51,990
OK, so going into Gryffindor Ménage dashboard's import that I'd load and select the new Metrick beat

96
00:06:52,110 --> 00:06:53,760
datasource the default.

97
00:06:53,880 --> 00:06:56,190
That's all very good press import.

98
00:06:56,190 --> 00:06:58,290
And straight away we see no data.

99
00:06:58,320 --> 00:07:00,270
Plus there's a missing plug in.

100
00:07:01,550 --> 00:07:08,390
I will solve the missing plug in with a pie chart first, I'm going to use the pie chart from here.

101
00:07:08,810 --> 00:07:09,650
This is Gryffindor.

102
00:07:09,650 --> 00:07:14,150
Final pie chart says you need to use a key ally to install it.

103
00:07:15,470 --> 00:07:20,480
So, S.H., onto your Kafar server and run the fantasy CLIA plug ins in.

104
00:07:20,480 --> 00:07:22,090
Stoeger, find a pie chart panel.

105
00:07:22,190 --> 00:07:22,820
Very good.

106
00:07:22,820 --> 00:07:24,040
Install successfully.

107
00:07:24,120 --> 00:07:25,940
We now need to restart.

108
00:07:26,060 --> 00:07:26,840
Restart.

109
00:07:27,150 --> 00:07:29,990
OK, so we need to refresh this page.

110
00:07:29,990 --> 00:07:36,040
So refresh, reload and they would go the there is no longer there but there's still a problem with

111
00:07:36,050 --> 00:07:39,260
a matrix for each of these panels will resolve those.

112
00:07:39,710 --> 00:07:43,140
So if we scroll down some of the matrix look like they're working.

113
00:07:43,160 --> 00:07:45,560
So this is data coming from my Windows machine.

114
00:07:45,630 --> 00:07:51,080
OK, so it's Metrick by sending data to the elasticsearch server and then the ElasticSearch data source,

115
00:07:51,080 --> 00:07:53,780
the new one I just created is pulling that data.

116
00:07:53,810 --> 00:07:55,880
OK, so we're getting some of that information already.

117
00:07:55,910 --> 00:08:02,430
Let's slowly go through these panels and update them with the new changes.

118
00:08:02,450 --> 00:08:06,980
So the first one I want to fix will actually be this one right up at the top.

119
00:08:07,010 --> 00:08:08,450
Hostname says none.

120
00:08:09,230 --> 00:08:16,310
If I go into the settings for this dashboard and press variables, this definition here is what needs

121
00:08:16,310 --> 00:08:17,030
to be updated.

122
00:08:17,060 --> 00:08:23,510
So instead of saying beat name keyword, I'm going to call it host dot aim and just accept that.

123
00:08:23,510 --> 00:08:27,940
And straight away, down the bottom in the preview of values, I now get a new value.

124
00:08:27,950 --> 00:08:30,770
So that looks to me like that's the correct query now.

125
00:08:30,780 --> 00:08:35,620
So update that I go back into the dashboard and then we go hostname.

126
00:08:35,630 --> 00:08:37,250
So there's only one hostname.

127
00:08:37,429 --> 00:08:38,919
I've only set up one metric beat.

128
00:08:38,929 --> 00:08:43,700
But if you set up lots of metric beats or point to the elasticsearch server, I would get a dropdown

129
00:08:43,700 --> 00:08:46,370
and a new value for each Windows machine that you had.

130
00:08:47,030 --> 00:08:47,540
So.

131
00:08:48,560 --> 00:08:54,450
Next one, first one on one to fix as this bottom on hard disk used percentage it at that.

132
00:08:54,560 --> 00:09:01,430
Now, the problem is usually the names of the metrics that are being polled as versions get updated,

133
00:09:01,430 --> 00:09:07,280
Bafana plug ins, data sources, everything, all the different components, the names of things change.

134
00:09:07,320 --> 00:09:12,920
So this is a common occurrence working out that somebody, somewhere on the journey has changed something

135
00:09:12,920 --> 00:09:13,700
and you need to update it.

136
00:09:13,710 --> 00:09:20,000
So just from experience, I know that system or system use per cent is already correct, but this group

137
00:09:20,000 --> 00:09:23,030
by terms looks out of date for me.

138
00:09:23,030 --> 00:09:29,570
It's actually no longer that you can just say you can actually just leave off the key word it so system.

139
00:09:30,790 --> 00:09:32,140
Filesystem.

140
00:09:34,290 --> 00:09:40,620
Dot Mount pointed that one just there and there we go, it's now showing me graphs or my see and my

141
00:09:40,620 --> 00:09:40,960
day.

142
00:09:40,980 --> 00:09:44,190
Now I want to see graphs for all my drives.

143
00:09:44,200 --> 00:09:47,110
So that's in this bill to just you top two.

144
00:09:47,220 --> 00:09:49,680
I'm just going to say no, limit me, all of them.

145
00:09:49,710 --> 00:09:50,250
There we go.

146
00:09:50,280 --> 00:09:50,780
Excellent.

147
00:09:50,790 --> 00:09:51,550
Apply that.

148
00:09:51,570 --> 00:09:54,190
And if I go back to this page, it looks much better.

149
00:09:54,240 --> 00:09:57,030
Now, there are a few other things not working.

150
00:09:57,480 --> 00:10:05,820
The next one looks like this C.P.U usage to me at that sort of system core or two percent.

151
00:10:06,050 --> 00:10:12,270
How system thought c.p.u dot total per cent there would go.

152
00:10:12,390 --> 00:10:13,680
Very good.

153
00:10:14,220 --> 00:10:18,360
And in options it's saying one minus value.

154
00:10:18,370 --> 00:10:21,110
I'm just going to delete that as well if it go.

155
00:10:21,560 --> 00:10:23,250
I'm just going to apply that for now.

156
00:10:23,580 --> 00:10:25,140
So that looks a little better.

157
00:10:25,200 --> 00:10:27,630
OK, so let's look at this panel now.

158
00:10:27,880 --> 00:10:37,410
CPU edit same thing system CPU total percent or a good size or a ploy going up.

159
00:10:37,410 --> 00:10:41,310
These were the two pie graphs, the ones going.

160
00:10:41,340 --> 00:10:46,500
First thing I want to look at is the CPU time per cent spent by processors.

161
00:10:46,530 --> 00:10:52,290
Edit So down here, system processor CPU total percent, which I think is correct.

162
00:10:52,290 --> 00:10:55,590
I'm just going to say this one should be called process.

163
00:10:56,550 --> 00:10:58,720
It's dead and there we go.

164
00:10:58,860 --> 00:11:07,290
Excellent pli that so we can now get a graph for the most busy processors on my computer over the last

165
00:11:07,320 --> 00:11:08,070
five minutes.

166
00:11:08,250 --> 00:11:08,690
Excellent.

167
00:11:09,450 --> 00:11:10,480
I'll do this one as well.

168
00:11:10,500 --> 00:11:13,170
Service used memory percentage.

169
00:11:13,200 --> 00:11:15,000
Edit I think is the same problem.

170
00:11:15,070 --> 00:11:17,520
It should be called processed name.

171
00:11:19,140 --> 00:11:20,670
Yep, very good for that.

172
00:11:21,090 --> 00:11:23,670
So this is a memory used by proper process.

173
00:11:25,400 --> 00:11:27,840
It's looking pretty good already, lots of information there.

174
00:11:28,410 --> 00:11:37,620
Now let's fix up these polygraph's, c.p.u of services, edit I'm think process the name and then we

175
00:11:37,620 --> 00:11:38,420
go have a polygraph.

176
00:11:38,610 --> 00:11:39,950
Save that or.

177
00:11:40,500 --> 00:11:41,270
Excellent.

178
00:11:41,280 --> 00:11:42,920
And same thing here.

179
00:11:43,650 --> 00:11:45,950
It looks the same process on.

180
00:11:47,160 --> 00:11:50,080
Excellent and is showing the top 10 apply.

181
00:11:50,370 --> 00:11:50,970
Excellent.

182
00:11:51,240 --> 00:11:52,140
It's looking pretty good.

183
00:11:52,560 --> 00:11:53,730
I'm going to save that.

184
00:11:54,970 --> 00:11:55,600
Very good.

185
00:11:55,660 --> 00:11:59,200
And if I go to Sitting's Jason Morrow.

186
00:12:00,440 --> 00:12:04,850
Or the Jason sitting in, they're going to copy and put it on my documentation for you.

187
00:12:04,970 --> 00:12:10,860
So example, Windows Dashboard here on this ElasticSearch metric, big page.

188
00:12:10,880 --> 00:12:14,180
This is the Jason that you can copy and import.

189
00:12:15,860 --> 00:12:18,010
In there, if you want to the.

190
00:12:19,020 --> 00:12:26,010
Copy and paste it and load you want to if you didn't want to do it the manual way like me, now my versions

191
00:12:26,040 --> 00:12:29,400
are there five seven, three, two, elasticsearch seven, 10.

192
00:12:29,430 --> 00:12:36,030
So who knows, in one or two versions from now, Kravanh or ElasticSearch or Dashboard will have problems

193
00:12:36,030 --> 00:12:37,580
and need to resolve them.

194
00:12:37,590 --> 00:12:42,270
So that's just typical of working with Fana and really old data sources.

195
00:12:42,450 --> 00:12:43,220
The things change.

196
00:12:43,230 --> 00:12:48,810
There's no warranty or no guarantees of backwards compatibility because there's just so many things

197
00:12:48,810 --> 00:12:49,350
involved.

198
00:12:49,610 --> 00:12:50,440
OK, so very good.

199
00:12:50,460 --> 00:12:54,840
So there's quite a lot to look at there to monitor your computers over time.

200
00:12:54,950 --> 00:12:55,860
Last one hour.

201
00:12:56,040 --> 00:12:57,330
It's only just begun for me.

202
00:12:57,600 --> 00:13:01,650
It's says quite an impressive dashboard metric by Bob ElasticSearch.

203
00:13:02,070 --> 00:13:02,460
Excellent.