This plugin aims to monitor queries in Elasticsearch by allowing you to run a raw query on a specific or all indexes, or call a saved filter in Kibana. The data returned will be a count (integer) and will also be graphed accordingly. It's intention is to graph counts (=matches) based on query/filter you define.
This plugin is compatible with Elasticsearch 5.x, Nagios / Naemon.
Python dependencies that are required can be installed as follows:
$ yum install python-docopt python-elasticsearch
or
$ apt install python-docopt python-elasticsearch
Obviously, dependent on what package manager you use.Configure Elasticsearch to bind on all available interfaces (or as specific interface, but that's not covered below):
Edit: /etc/elasticsearch/elasticsearch.yml to read following:
network.host: 0.0.0.0Instead of the default, which is:
# network.host: 192.168.0.1The plugin allows you to fetch logs matching either a query or a filter.
Retrieve a count that matches a query with syntax example:
$ check_elasticsearch.py --host <host> --index <index> --query <query> --warning <warning> --critical <critical>Query example using the query mode:
$ check_elasticsearch.py --host "http://<elasticsearch ip>:9200/" --index "filebeat-*" --query "system_process_id=148" --warning 1 --critical 2Retrieve a count matching a saved Kibana filter with syntax example:
$ check_elasticsearch.py --host <host> --filter <query> --warning <warning> --critical <critical>Filter example using the filter mode:
$ check_elasticsearch.py --host "http://<elasticsearch ip>:9200/" --filter "some_saved_filter_in_kibana" --warning 1 --critical 2$ check_elasticsearch.py --host "http://<elastic ip>:9200" --filter "some_saved_filter_in_kibana" --warning 200 --critical 400
WARNING - Total hits: 264 | hits=264For a list of available arguments, run this plugin with --help:
$ check_elasticsearch.py --help
Usage:
check_elasticsearch.py --host <host> --index <index> --query <query> --warning <warning> --critical <critical>
check_elasticsearch.py --host <host> --filter <query> --warning <warning> --critical <critical>
DEPENDENCIES:
pip install docopt elasticsearch
Arguments:
HOST Endpoint to Elasticsearch, eg. http://<ip>:<port>
INDEX Elastic index to use, eg. rsyslog-* or filebeat-*. Use _all to search all indexes (more resource intensive)
QUERY Raw Elastic/Lucene query, eg. "received_from=10.0.5.2 and program=systemd and host=10.0.5.10 and @timestamp: [now-5h TO now]"
FILTER Name of saved filter in Kibana, its index will be used automatically.
WARNING Threshold as integer. eg. 128
CRITICAL Threshold as integer. eg. 299
Examples:
check_elasticsearch.py --host "http://<elastic ip>:9200/" --index "filebeat-*" --query "system_process_id=148" --warning 1 --critical 2
check_elasticsearch.py --host "http://<elastic ip>:9200/" --filter "some_saved_filter_in_kibana" --warning 1 --critical 2
Thanks goes to these wonderful people: