Skip to main content

Sumo Logic App for Elasticsearch

Thumbnail icon

The Elasticsearch app is a unified logs and metrics app that helps you monitor the availability, performance, health, and resource utilization of your Elasticsearch clusters. Preconfigured dashboards provide insight into cluster health, resource utilization, sharding, garbage collection, and search, index, and cache performance.

Sample Log Messages

{
    "type":"server",
    "timestamp":"2021-07-12T05:12:07,101+0000",
    "level":"WARN",
    "component":"o.e.c.NodeConnectionsService",
    "cluster.name":"elasticsearch",
    "node.name":"elasticsearch-master-0",
    "cluster.uuid":"pQ372ZkIQiaHkSVp6hlxZw",
    "node.id":"7PdqQlHYRjqbzClkTeoVdA",
    "message":"failed to connect to {elasticsearch-master-1}{OfUoMAwoRoKr2sAlYAYuEA}{RnYfI0DUT9uqtF4h5aVDQg}{10.42.1.143}{10.42.1.143:9300}{dim}{ml.machine_memory=2147483648, ml.max_open_jobs=20, xpack.installed=true} (tried [1] times)"
}

Collecting Logs and Metrics for the Elasticsearch app

Configuring log and metric collection for the Elasticsearch App includes the following tasks.

Step 1: Configure Fields in Sumo Logic

Create the following Fields in Sumo Logic before configuring the collection. This ensures that your logs and metrics are tagged with relevant metadata required by the app dashboards. For information on setting up fields, see Sumo Logic Fields.

If you're using Elasticsearch in a Kubernetes environment, create the fields:

  • pod_labels_component
  • pod_labels_environment
  • pod_labels_db_system
  • pod_labels_db_cluster

Step 2: Configure Collection for Elasticsearch

In Kubernetes environments, we use the Telegraf Operator, which is packaged with our Kubernetes collection. You can learn more about it here. The diagram below illustrates how data is collected from Elasticsearch in a Kubernetes environment. Four services in the architecture shown below make up the metric collection pipeline: Telegraf, Prometheus, Fluentd, and FluentBit.
elasticsearch

The first service in the pipeline is Telegraf. Telegraf collects metrics from Elasticsearch. Note that we’re running Telegraf in each pod we want to collect metrics from as a sidecar deployment, for example, Telegraf runs in the same pod as the containers it monitors. Telegraf uses the Elasticsearch input plugin to obtain metrics. For simplicity, the diagram doesn’t show the input plugins. The injection of the Telegraf sidecar container is done by the Telegraf Operator. We also have Fluentbit that collects logs written to standard out and forwards them to FluentD, which in turn sends all the logs and metrics data to a Sumo Logic HTTP Source.

Follow the below instructions to set up the logs and metric collection:

prerequisites

It’s assumed that you are using the latest helm chart version. If not, upgrade using the instructions here.

Configure Logs Collection

This section explains the steps to collect Elasticsearch logs from a Kubernetes environment.

  1. (Recommended Method) Add labels on your Elasticsearch pods to capture logs from standard output on Kubernetes.

    1. Apply the following labels to the Elasticsearch pods:
      environment: "dev_CHANGE_ME"
      component: "database"
      db_system: "elasticsearch"
      db_cluster: "elasticsearch_on_k8s_CHANGE_ME"
      db_cluster_address = `ENV_TO_BE_CHANGED`
      db_cluster_port = `ENV_TO_BE_CHANGED`
    2. Enter in values for the following parameters (marked ENV_TO_BE_CHANGED above):

    • environment - This is the deployment environment where the Elasticsearch cluster identified by the value of servers resides. For example dev, prod, or QA. While this value is optional we highly recommend setting it.

    • db_cluster - Enter a name to identify this Elasticsearch cluster. This cluster name will be shown in the Sumo Logic dashboards.

    • db_cluster_address - Enter the cluster hostname or ip address that is used by the application to connect to the database. It could also be the load balancer or proxy endpoint.

    • db_cluster_port - Enter the database port. If not provided, a default port will be used.

      note

      db_cluster_address and db_cluster_port should reflect the exact configuration of DB client configuration in your application, especially if you instrument it with OT tracing. The values of these fields should match exactly the connection string used by the database client (reported as values for net.peer.name and net.peer.port metadata fields). For example, if your application uses “elasticsearch-prod.sumologic.com:3306” as the connection string, the field values should be set as follows: db_cluster_address=elasticsearch-prod.sumologic.com db_cluster_port=3306. If your application connects directly to a given elasticsearch node, rather than the whole cluster, use the application connection string to override the value of the “host” field in the Telegraf configuration: host=elasticsearch-prod.sumologic.com. Pivoting to Tracing data from Entity Inspector is possible only for “Elasticsearch address” Entities.

    • Do not modify the following values as they will cause the Sumo Logic apps to not function correctly.

      • component: “database” - This value is used by Sumo Logic apps to identify application components.
      • db_system: “elasticsearch”- This value identifies the database system.

    • See this doc for more parameters that can be configured in the Telegraf agent globally.

    1. The Sumologic-Kubernetes-Collection will automatically capture the logs from stdout and will send the logs to Sumologic. For more information on deploying Sumologic-Kubernetes-Collection, visit here.
    2. Verify logs in Sumo Logic.

  2. (Optional) Collecting Elasticsearch Logs from a Log File. Follow the steps below to capture Elasticsearch logs from a log file on Kubernetes.

    1. Determine the location of the Elasticsearch log file on Kubernetes. This can be determined from the log4j.properties for your Elasticsearch cluster along with the mounts on the Elasticsearch pods.
    2. Install the Sumo Logic tailing sidecar operator.
    3. Add the following annotation in addition to the existing annotations.
      annotations:
         tailing-sidecar: sidecarconfig;<mount>:<path_of_Elasticsearch_log_file>/<Elasticsearch_log_file_name>
      Example:
      annotations:
        tailing-sidecar: sidecarconfig;data:/usr/share/elasticsearch/logs/gc.log
    4. Make sure that the Elasticsearch pods are running and annotations are applied by using the command:
      kubectl describe pod <Elasticsearch_pod_name>
    5. Sumo Logic Kubernetes collection will automatically start collecting logs from the pods having the annotations defined above.
    6. Verify logs in Sumo Logic.

  3. Add a FER to normalize the fields in Kubernetes environments. This step is not needed if using application components solution terraform script. Labels created in Kubernetes environments automatically are prefixed with pod_labels. To normalize these for our app to work, we need to create a Field Extraction Rule if not already created for Database Application Components. To do so:

    1. Go to Manage Data > Logs > Field Extraction Rules.
    2. Click the + Add button on the top right of the table.
    3. The Add Field Extraction Rule form will appear:
    4. Enter the following options:
    • Rule Name. Enter the name as App Observability - Database.
    • Applied At. Choose Ingest Time
    • Scope. Select Specific Data
    • Scope: Enter the following keyword search expression: 
      pod_labels_environment=* pod_labels_component=database pod_labels_db_system=* pod_labels_db_cluster=*
    • Parse Expression.Enter the following parse expression:
    if (!isEmpty(pod_labels_environment), pod_labels_environment, "") as environment
        | pod_labels_component as component
        | pod_labels_db_system as db_system
        | if (!isEmpty(pod_labels_db_cluster), pod_labels_db_cluster, null) as db_cluster
    1. Click Save to create the rule.

Configure Metrics Collection

This section explains the steps to collect Elasticsearch metrics from a Kubernetes environment, where we use the Telegraf Operator, which is packaged with our Kubernetes collection. You can learn more about this here. Follow the steps listed below to collect metrics from a Kubernetes environment:

  1. Set up Kubernetes Collection with the Telegraf Operator.
  2. On your Elasticsearch Pods, add the following annotations:
 annotations:
    telegraf.influxdata.com/class: sumologic-prometheus
    prometheus.io/scrape: "true"
    prometheus.io/port: "9273"
    telegraf.influxdata.com/inputs: |+

  servers = ["http://<USER_CHANGE_ME>:<PASS_CHANGE_ME>@localhost:9200"]
  http_timeout = "5s"
  local = true
  cluster_health = true
  cluster_stats = true
  cluster_stats_only_from_master = false
  indices_include = ["_all"]
  indices_level = "cluster"
  [inputs.elasticsearch.tags]
     environment: "ENV_TO_BE_CHANGED"
     component: "database"
     db_system: "elasticsearch"
     db_cluster: "ENV_TO_BE_CHANGED"
     db_cluster_address = `ENV_TO_BE_CHANGED`
     db_cluster_port = `ENV_TO_BE_CHANGED`

  1. Enter in values for the following parameters (marked ENV_TO_BE_CHANGED above):

    • telegraf.influxdata.com/inputs - This contains the required configuration for the Telegraf Elasticsearch Input plugin. Please refer to this doc for more information on configuring the Elasticsearch input plugin for Telegraf. Note: As telegraf will be run as a sidecar the host should always be localhost.

    • In the input plugins section, that is [[inputs.elasticsearch]]:

      • servers - The URL to the Elasticsearch server. This can be a comma-separated list to connect to multiple Elasticsearch servers. Please see this doc for more information on additional parameters for configuring the Elasticsearch input plugin for Telegraf.

    • In the tags section, which is [inputs.elasticsearch]

      • environment - This is the deployment environment where the Elasticsearch cluster identified by the value of servers resides. For example dev, prod, or QA. While this value is optional we highly recommend setting it.
      • db_cluster - Enter a name to identify this Elasticsearch cluster. This cluster name will be shown in the Sumo Logic dashboards.
      • db_cluster_address - Enter the cluster hostname or ip address that is used by the application to connect to the database. It could also be the load balancer or proxy endpoint.
      • db_cluster_port - Enter the database port. If not provided, a default port will be used.
      note

      db_cluster_address and db_cluster_port should reflect exact configuration of DB client configuration in your application, especially if you instrument it with OT tracing. The values of these fields should match exactly the connection string used by the database client (reported as values for net.peer.name and net.peer.port metadata fields).

      For example, if your application uses “elasticsearch-prod.sumologic.com:3306” as the connection string, the field values should be set as follows: db_cluster_address=elasticsearch-prod.sumologic.com db_cluster_port=3306

      If your application connects directly to a given elasticsearch node, rather than the whole cluster, use the application connection string to override the value of the “host” field in the Telegraf configuration: host=elasticsearch-prod.sumologic.com

      Pivoting to Tracing data from Entity Inspector is possible only for “Elasticsearch address” Entities.

    • Here’s an explanation for additional values set by this configuration that we request you do not modify as they will cause the Sumo Logic apps to not function correctly.

      • telegraf.influxdata.com/class: sumologic-prometheus - This instructs the Telegraf operator what output to use. This should not be changed.
      • prometheus.io/scrape: "true" - This ensures our Prometheus will scrape the metrics.
      • prometheus.io/port: "9273" - This tells prometheus what ports to scrape on. This should not be changed.
      • telegraf.influxdata.com/inputs
      • In the tags section [inputs.elasticsearch.tags]
        • component: “database” - This value is used by Sumo Logic apps to identify application components.
        • db_system: “elasticsearch” - This value identifies the database system.
      • See this doc for more parameters that can be configured in the Telegraf agent globally.

  2. Sumo Logic Kubernetes collection will automatically start collecting metrics from the pods having the labels and annotations defined in the previous step.

  3. Verify metrics in Sumo Logic.

Installing Elasticsearch Monitors

Sumo Logic has provided pre-packaged alerts available through Sumo Logic monitors to help you proactively determine if an Elasticsearch cluster is available and performing as expected. These monitors are based on metric and log data and include pre-set thresholds that reflect industry best practices and recommendations. For more information about individual alerts, see Elasticsearch Alerts.

To install these monitors, you must have the Manage Monitors role capability. You can install monitors by importing a JSON file or using a Terraform script. There are limits to how many alerts can be enabled. For more information, see Monitors for details.

Method 1: Importing a JSON file

  1. Download the JSON file that describes the monitors.
  2. The JSON contains the alerts that are based on Sumo Logic searches that do not have any scope filters, and therefore will be applicable to all Elasticsearch clusters, the data for which has been collected via the instructions in the previous sections. However, if you would like to restrict these alerts to specific clusters or environments, update the JSON file by replacing the text db_cluster=* with <Your Custom Filter>. Custom filter examples:
    • For alerts applicable only to a specific cluster, your custom filter would be: db_cluster=dev-elasticsearch-01
    • For alerts applicable to all clusters that start with elasticsearch-prod, your custom filter would be: db_cluster=elasticsearch-prod*
    • For alerts applicable to a specific clusters, within a production environment, your custom filter would be: db_cluster=dev-elasticsearch-01 AND environment=prod. This assumes you have set the optional environment tag while configuring collection.
  3. Go to Manage Data > Alerts > Monitors.
  4. Click Add.
  5. Click Import.
  6. On the Import Content popup, enter Elasticsearch in the Name field, paste in the JSON into the popup, and click Import.
  7. The monitors are created in a Elasticsearch folder. The monitors are disabled by default. See the Monitors topic for information about enabling monitors and configuring notifications or connections.

Method 2: Using a Terraform script

  1. Generate a Sumo Logic access key and ID for a user that has the Manage Monitors role capability. For instructions see Access Keys.

  2. Download Terraform 0.13 or later, and install it.

  3. Download the Sumo Logic Terraform package for Elasticsearch monitors. The alerts package is available in the Sumo Logic github repository. You can either download it using the git clone command or as a zip file.

  4. Alert Configuration. After extracting the package, navigate to the terraform-sumologic-sumo-logic-monitor/monitor_packages/Elasticsearch/ directory.

    • Edit the Elasticsearch.auto.tfvars file and add the Sumo Logic Access Key and Access ID from Step 1 and your Sumo Logic deployment. If you're not sure of your deployment, see Sumo Logic Endpoints and Firewall Security.
      access_id   = "<SUMOLOGIC ACCESS ID>"
      access_key  = "<SUMOLOGIC ACCESS KEY>"
      environment = "<SUMOLOGIC DEPLOYMENT>"
    • The Terraform script installs the alerts without any scope filters. If you would like to restrict the alerts to specific clusters or environments, update the elasticsearch_data_source variable. For example:
      • To configure alerts for a specific cluster, set elasticsearch_data_source to something like db_cluster=elasticsearch.prod.01
      • To configure alerts for all clusters in an environment, set elasticsearch_data_source to something like environment=prod
      • To configure alerts for multiple clusters using a wildcard, set elasticsearch_data_source to something like db_cluster=elasticsearch-prod*
      • To configure alerts for a specific clusters within a specific environment, set elasticsearch_data_source to something like db_cluster=elasticsearch-1 and environment=prod. This assumes you have configured and applied Fields as described in Configure Sumo Logic Fields.

    All monitors are disabled by default on installation. To enable all of the monitors, set the monitors_disabled parameter to false. By default, the monitors will be located in a "Elasticsearch" folder on the Monitors page. To change the name of the folder, update the monitor folder name in the folder variable in the Elasticsearch.auto.tfvars file.

  5. If you want your alerts to send email or connection notifications, edit the Elasticsearch_notifications.auto.tfvars file to populate the connection_notifications and email_notifications sections. Examples are provided below. In the variable definition below, replace <CONNECTION_ID> with the connection ID of the Webhook connection. You can obtain the Webhook connection ID by calling the Monitors API.

Pagerduty connection example
connection_notifications = [
    {
      connection_type       = "PagerDuty",
      connection_id         = "<CONNECTION_ID>",
      payload_override      = "{\"service_key\": \"your_pagerduty_api_integration_key\",\"event_type\": \"trigger\",\"description\": \"Alert: Triggered {{TriggerType}} for Monitor {{Name}}\",\"client\": \"Sumo Logic\",\"client_url\": \"{{QueryUrl}}\"}",
      run_for_trigger_types = ["Critical", "ResolvedCritical"]
    },
    {
      connection_type       = "Webhook",
      connection_id         = "<CONNECTION_ID>",
      payload_override      = "",
      run_for_trigger_types = ["Critical", "ResolvedCritical"]
    }
  ]

For information about overriding the payload for different connection types, see Set Up Webhook Connections.

Email notifications example
email_notifications = [
    {
      connection_type       = "Email",
      recipients            = ["abc@example.com"],
      subject               = "Monitor Alert: {{TriggerType}} on {{Name}}",
      time_zone             = "PST",
      message_body          = "Triggered {{TriggerType}} Alert on {{Name}}: {{QueryURL}}",
      run_for_trigger_types = ["Critical", "ResolvedCritical"]
    }
  ]
  1. Installation.
    1. Navigate to the terraform-sumologic-sumo-logic-monitor/monitor_packages/Elasticsearch/ directory and run terraform init. This will initialize Terraform and download the required components.
    2. Run terraform plan to view the monitors that Terraform will create or modify.
    3. Run terraform apply.

Installing Elasticsearch App

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. From the App Catalog, search for and select the app.
  2. Select the version of the service you're using and click Add to Library. Version selection is applicable only to a few apps currently. For more information, see the Install the Apps from the Library.
  3. To install the app, complete the following fields.
    1. App Name. You can retain the existing name, or enter a name of your choice for the app.

    2. Data Source. Select either of these options for the data source.

      • Choose Source Category, and select a source category from the list.

      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).

    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
  4. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.

Viewing Elasticsearch Dashboards

Filter with template variables

Template variables provide dynamic dashboards that can rescope data on the fly. As you apply variables to troubleshoot through your dashboard, you view dynamic changes to the data for a quicker resolution to the root cause. You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.

Overview

The Elasticsearch - Overview dashboard provides the health of Elasticsearch clusters, shards analysis, resource utilization of Elasticsearch host & clusters, search and indexing performance.

elasticsearch dashboards

Total Operations Stats

The Elasticsearch - Total Operations stats dashboard provides information on the operations of the Elasticsearch system.

elasticsearch dashboards

Thread Pool

The Elasticsearch- Thread Pool dashboard analyzes thread pools operations to manage memory consumption of nodes in the cluster.

elasticsearch dashboards

Resource

The Elasticsearch - Resource dashboard monitors JVM Memory, Network, Disk, Network and CPU of Elasticsearch node.

elasticsearch dashboards

Performance Stats

The Elasticsearch - Performance Stats dashboard performance statistics such as latency and Translog operations and size.

elasticsearch dashboards

Indices

The Elasticsearch - Indices dashboard monitors Index operations, size and latency. It also provides analytics on doc values, fields, fixed bitsets, and terms memory.

elasticsearch dashboards

Documents

The Elasticsearch - Documents dashboard provides analytics and monitoring on Elasticsearch documents.

elasticsearch dashboards

Caches

The Elasticsearch - Caches dashboard allows you to monitor query cache size, evictions and field data memory size.

elasticsearch dashboards

Errors And Warnings

The ElasticSearch - Errors And Warnings dashboard shows errors and warnings by Elasticsearch components.

elasticsearch dashboards

Garbage Collection

36

The Elasticsearch - Garbage Collector dashboard provides information on the garbage collection of the Java Virtual Machine.

elasticsearch dashboards

Login And Connections

38

The ElasticSearch - Login And Connections dashboard shows geo location of client connection requests, failed connection logins and count of failed login attempts

elasticsearch dashboards

Operations

The Elasticsearch - Operations dashboard allows you to monitor server stats and events such as node up/down, index creation/deletion. It also provides disk usage and cluster health status.

elasticsearch dashboards

Queries

The ElasticSearch - Queries dashboard shows Elasticsearch provides analytics on slow queries, and query shards.

elasticsearch dashboards

Elasticsearch Alerts

Sumo Logic has provided out-of-the-box alerts available via Sumo Logic monitors to help you quickly determine if the Elasticsearch database cluster is available and performing as expected.

Alert Type (Metrics/Logs)Alert NameAlert DescriptionTrigger Type (Critical / Warning)Alert ConditionRecover Condition
MetricsElasticsearch - Cluster RedThis alert fires when Elasticsearch Cluster status is REDCritical> =3 <3
MetricsElasticsearch - Cluster YellowThis alert fires when Elasticsearch Cluster status is YELLOWWarning> =2 <2
MetricsElasticsearch - Disk Out of SpaceThis alert fires when the disk usage is over 90%Critical >90< =90
MetricsElasticsearch - Disk Space LowThis alert fires when the disk usage is over 80%Warning >80< = 80
MetricsElasticsearch - Healthy Data NodesThis alert fires when there missing data node in Elasticsearch clusterCritical <3> =3
MetricsElasticsearch - Healthy NodesThis alert fires when there is missing node in Elasticsearch clusterCritical <3> =3
MetricsElasticsearch - Heap Usage Too HighThis alert fires when the heap usage is over 90%Critical >90< =90
MetricsElasticsearch - Heap Usage WarningThis alert fires when the heap usage is over 80%Warning >80< =80
MetricsElasticsearch - Initializing Shards Too LongThis alert fires when elasticsearch has been initializing shards for 5 minWarning >0< =0
MetricsElasticsearch - Pending TasksThis alert fires when elasticsearch has pending tasks.Warning >0< =0
MetricsElasticsearch - Relocating Shards Too LongThis alert fires when elasticsearch has been relocating shards for 5minWarning >0< =0
MetricsElasticsearch - Unassigned ShardsThis alert fires when Elasticsearch has unassigned shardsCritical >0< =0
LogsElasticsearch - Query Time Too SlowThis alert fires when queries are slow to executeCritical >0< =0
LogsElasticsearch - Query Time SlowThis alert fires when query time is greater than 5 msWarning >0< =0
LogsElasticsearch - Too Many Slow QueryThis alert fires when there aret oo Many Slow Query in 5 minutesWarning >100< =100
LogsElasticsearch - Error Log Too ManyError Log Too ManyCritical >1000< =1000
Sumo Logic YouTubeSumo Logic Twitter
Legal
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.