Ingest logs and metrics with Elastic Agent

edit

This guide describes how to:

  • Monitor logs and infrastructure metrics from systems and services across your organization
  • Monitor Nginx logs and metrics using the Nginx integration

For feedback and questions, please contact us in the discuss forum.

Prerequisites
edit

You need Elasticsearch for storing and searching your data, and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud (recommended), or self-manage the Elastic Stack on your own hardware.

Here’s what you need for each deployment type:

  • Elasticsearch Service deployment that includes an Integrations Server (included by default in every Elasticsearch Service deployment). Our hosted Elasticsearch Service is available on AWS, GCP, and Azure, and you can try it for free.
  • Kibana user with All privileges on Fleet and Integrations. Since many Integrations assets are shared across spaces, users need the Kibana privileges in all spaces.
Step 1: Set up Fleet
edit

Use Fleet in Kibana to get logs, metrics, and security data into the Elastic Stack.

Not using Fleet? Advanced users who want to configure and manage Elastic Agents manually can run agents standalone.

The first time you use Fleet, you might need to set it up and add a Fleet Server:

Elastic Cloud runs a hosted version of Integrations Server that includes Fleet Server. No extra setup is required unless you want to scale your deployment.

To confirm that an Integrations Server is available in your deployment:

  1. In Kibana, go to Management > Fleet.
  2. On the Agents tab, look for the Elastic Cloud agent policy. This policy is managed by Elastic Cloud, and contains a Fleet Server integration and an Elastic APM integration. You cannot modify the policy. Confirm that the agent status is Healthy.

Don’t see the agent? Make sure your deployment includes an Integrations Server instance. This instance is required to use Fleet.

Hosted Integrations Server

For more information, refer to Fleet Server.

Step 2: Add the Elastic Agent System integration
edit

Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. A single agent makes it easier and faster to deploy monitoring across your infrastructure. Each agent has a single policy you can update to add integrations for new data sources, security protections, and more.

In this step, add the System integration to monitor host logs and metrics.

  1. Go to the Kibana home page and click Add integrations.

    Kibana home page
  2. In the query bar, search for System and select the integration to see more details about it.
  3. Click Add System.
  4. Configure the integration name and optionally add a description. Make sure that Collect logs from System instances and Collect metrics from System instances are turned on.
  5. Expand each configuration section to verify that the settings are correct for your host. For example, if you’re deploying Elastic Agent on macOS hosts, you need to add a new path to the System syslog logs section by clicking Add row and specifying /var/log/system.log.

    Configuration page for adding log paths to the Elastic Agent System integration
  6. Click Save and continue. This step takes a minute or two to complete. When it’s done, you’ll have an agent policy that contains a system integration policy for the configuration you just specified.

    Configuration page for adding the Elastic Agent System integration
  7. In the popup, click Add Elastic Agent to your hosts to open the Add agent flyout.

    If you accidentally close the popup, go to Fleet > Agents, then click Add agent to access the flyout.

Step 3: Install and run an Elastic Agent on your machine
edit

The Add agent flyout has two options: Enroll in Fleet and Run standalone. The default is to enroll the agents in Fleet, as this reduces the amount of work on the person managing the hosts by providing a centralized management tool in Kibana.

  1. Skip the Select enrollment token step. The enrollment token you need is already selected.

    The enrollment token is specific to the Elastic Agent policy that you just created. When you run the command to enroll the agent in Fleet, you will pass in the enrollment token.

  2. Download, install, and enroll the Elastic Agent on your host by selecting your host operating system and following the Install Elastic Agent on your host step.

    Add agent flyout in Kibana

    It takes about a minute for Elastic Agent to enroll in Fleet, download the configuration specified in the policy you just created, and start collecting data.

Step 4: Monitor host logs and metrics
edit
  1. Verify that data is flowing. Wait until agent enrollment is confirmed and incoming data is received, then click View assets to access dashboards related to the System integration.

    Agent confirm data
  2. Choose a dashboard that is related to the operating system of your monitored system. Dashboards are available for Microsoft Windows systems and Unix-like systems (for example, Linux and macOS).

    Agent list of visualizations
  3. Open the [Metrics System] Host overview dashboard to view performance metrics from your host system.

    The Host Overview dashboard in Kibana with various metrics from your monitored system

You can hover over any visualization to adjust its settings, or click the Edit button to make changes to the dashboard. To learn more, refer to Dashboard and visualizations.

Step 5: Monitor Nginx logs and metrics
edit

Next, add an Nginx integration to the policy used by your agent.

For these steps, we assume that you have nginx running on your host, and want to collect logs and metrics from it. If not, you can skip this part of the guide.

  1. In Kibana, go to the Integrations page.
  2. In the query bar, search for Nginx and select the integration to see more details about it.
  3. Click Add Nginx.
  4. Configure the integration name and optionally add a description.
  5. Expand each configuration section to verify that the settings are correct for your host. You may need to change the Paths settings.
  6. Under Where to add this integration, select Existing hosts, then select the agent policy you created earlier. That way, you can deploy the change to the agent that’s already running.
  7. When you’re done, click Save and continue, then Save and deploy changes.
  8. To see the updated policy, click the agent policy link.

    The newly added Nginx integration should appear on the Integrations tab in your agent policy.

    Fleet showing default agent policy with nginx-1 data source

    Any Elastic Agents assigned to this policy will collect logs and metrics from the Nginx server and the host, along with system logs and uptime data.

  9. To view the data, go to Management > Fleet, then click the Data streams tab.
  10. In the Actions column, navigate to the dashboards corresponding to the data stream.
What’s next?
edit
  • Monitor the status and response times of applications and services in real time using the Uptime app. You can monitor the availability of network endpoints via HTTP, TCP, ICMP or Browser monitors. Get started in Synthetics (beta).
  • Now that data is streaming into the Elastic Stack, take your investigation to a deeper level! Use Elastic Observability to unify your logs, infrastructure metrics, uptime, and application performance data.
  • Want to protect your endpoints from security threats? Try Elastic Security. Adding endpoint protection is just another integration that you add to the agent policy!
  • Are your eyes bleary from staring at a wall of screens? Create alerts and find out about problems while sipping your favorite beverage poolside.
  • Want Elastic to do the heavy lifting? Use machine learning to detect anomalies.
  • Got everything working like you want it? Roll out your agent policies to other hosts by deploying Elastic Agents across your infrastructure!