Data & Storage, Engineering

Getting Sophisticated alerts from Filebeat on Axiom

03 June 2021

In this tutorial, I will show you how to set up and get triggers and alerts from your Filebeat events on Axiom.

Configuring alerts on your Filebeat events is essential because it’s how you catch issues with your systems immediately. Your organization will know when critical changes are occurring and, with this information, you can then check and audit your Filebeat events.

Prerequisites

Let's get to it đŸ’«

1. Visit our docs to copy, edit and configure the Filebeat.yml file to ingest Filebeat events to Axiom.

2. Create your dataset for your Filebeat events by selecting Settings → Datasets.

  1. Generate your ingest token,
  • On the Axiom UI, click on settings, select ingest token.
  • Select Add ingest token.
  • Enter a name and description and select ADD.
  • Copy the generated token to your clipboard. Once you navigate from the page, the token can be seen again by selecting Ingest Tokens.

4. Update the changes with the new Host URL and Dataset name on your configuration file. You can now ingest Filebeat events into Axiom.

5. Before configuring your alerts, you need to set up monitors and notifiers.

  • Axiom Monitors let you set up and run continuous queries over your data. After configuring and setting up queries, you can confirm if the values created from the results exceed the threshold settings. If a threshold is met, then an alert is triggered to notify you via any configured Notifiers..
  • Notifiers are important component of monitors that keep your team informed of issues, and if any complications arise.

Notifications can be sent through four different Notifiers:

  • Email
  • Slack
  • PagerDuty
  • Webhook

6. Select the specific notifier you would like to use for your Monitor.

7. After you have selected your Notifier, configure your Monitor:

  • Name of my monitor is: Filebeat-events
  • Description – Monitor Filebeat agent events on Axiom. Inserting a description is helpful to your team members so that they can know why the monitor was created.
  • For Trigger options, I set the comparison type to below or equal to the value of 3.  3 is the value to compare the results of the query to.
  • Specify the frequency and time range for your monitor. Here I configured mine to check this monitor for every 2 minutes with data from the last 3 minutes.
  • Select your notification option. Here I’m selecting the notification via Email which I configured in the previous step.
  • Select the dataset in which you ingested logs from Filebeat earlier.
  • Choose the Aggregation type you want to run your Query on. Here I configured my query using the count aggregation. It will trigger the monitor and send an alert to my email when the value of 3 is or equal to the threshold value of 3.
  • You can snooze your monitor by clicking the ‘alarm clock’ icon in the slide-out toolbar. By snoozing a monitor, no checks will be carried out by the monitor until the snooze time is elapsed.
  • You can use GROUP BY to get more specific alerts where necessary, this will trigger your monitor once for every group that is produced by a query.

8. Back to your Monitor’s page, wait for 2 minutes. You will see that the alert has been triggered.

9. Go to your email or whichever Notifier you configured earlier to see the Notification. I received an email alert that my Filebeat events have changed state. You can configure your monitors to get triggered at any value, frequency and time range

 

 

Try it today 😇

If you have specific questions or issues configuring the file, I’d love to hear about them. Contact us here or ask a question in the Axiom Community!

You can also follow us on Twitter and on our blog. And if you’ve enjoyed this post, please, take a second to share it on Twitter.

More about the author

Tola Ore-Aruwaji

Developer Relations Engineer

I am passionate about communicating and simplifying technical concepts for everyone and also enjoy contributing to and building open-source projects.  I am a big advocate for building open and inclusive...

More articles like this