Skip to content

Kibana

You may not be familiar yet with Elasticsearch and Kibana. Before even trying out the punch features, it is a good idea to simply visit your local Kibana http://localhost:5601.

System Monitoring

Start exploring the monitoring dashboards. These come with a companion monitoring agent called Metricbeat. It is shipped with the standalone punchplatform and is already running. You can see it running by typing the following command:

1
punchplatform-standalone.sh --status

or even simpler:

1
punchplatform-metricbeat.sh --status

The metricbeat collects various system and monitoring metrics and forwards them to Elasticsearch. You then visualise these through a Kibana dashboard. Execute the following command to load the metricbeat dashboards.

1
2
cd $PUNCHPLATFORM_CONF_DIR/../external/metricbeat-*-x86_64/
./metricbeat setup -c metricbeat.yml --dashboards

Go back to Kibana. On the left-hand panel, select the Dashboard menu. You will see there a number of dashboards, ready to be visualised. Find and select the Metricbeat System Overview dashboard. You should see something like this:

image

The metricbeat dashboards let you visualise metrics of each of your computer hardware: cpu usage, disk usage, memory usage, etc. These metrics are generated by the Metricbeat.

Tip

The so-called Beats are the Elastic agents in charge of collecting various events (windows, network, host, files, audit). What you see here in action is the Metricbeat. Metricbeats are extensively used in the punch. They are deployed as part of the punchplatform setup and provide you with a complete view of your servers.

Audit Data

Let us now explore another beat: the Auditbeat. It monitors user activity and processes. Auditbeat communicates directly with the Linux audit framework and sends the events to the Elastic Stack in real time.

Because the auditbeat requires root privilege, it is not started automatically. Here is how you can start it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
cd $PUNCHPLATFORM_CONF_DIR/../external/auditbeat-*/
sudo chown root auditbeat.yml

# load the auditbeat dashboards (you can skip this step if you don't want the audit beat dashboard)
# this step may takes up to 1 minute
sudo ./auditbeat setup -c auditbeat.yml --dashboards

# On Linux, there is an extra step: you must chose your architecture
# For example, on a 64 bits computer, delete any unecessary 32-bits configuration files
# Otherwise, delete the 64-bits files.
rm audit.rules.d/*-32bit.conf

# Go for it !
sudo ./auditbeat -c auditbeat.yml -e

You can now visit the "[Auditbeat] File Integrity" dashboard. Have fun discovering what you can learn from such a tool.

image

Tip

When you look for a dashboard use the top-level search box. Simply type 'Aud' and it will automatically list the available audit beat dashboards.

Punch Dashboards

The punch comes with predefined Kibana dashboards to easily start exploring your data. These dashboards are located under the conf/resources/kibana folder.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
kibana/
└── dashboard
    ├── aggregation_mytenant_demo
    │   └── aggregation.json
    ├── archiving_monitoring
    │   └── archiving_monitoring.json
    ├── cybersecurity_mytenant_demo
    │   └── cybersecurity_mytenant_demo.json
    ├── elastic_common_schema
    │   ├── ecs_channels_monitoring.json
    │   ├── elastic_common_schema_demo.json
    │   ├── elastic_common_schema_demo-screenshot.png
    │   └── README.md
    ├── platform_monitoring
    │   ├── platform_monitoring.json
    │   └── platform_monitoring-screenshot.png
    ├── README.md
    ├── spark_monitoring
    │   └── spark_monitoring.json
    ├── tenants_monitoring
    │   ├── tenants_monitoring.json
    │   └── tenants_monitoring-screenshot.png
    └── topo_light_monitoring
        └── monitoring_topo_light.json

To import these dashboards you can follow these instructions

  1. Go to the Kibana UI
  2. On the left-side panel, go to the "Management > Saved Objects > Import"
  3. Drag-n-drop or select the JSON dashboard
  4. Go to the "Dashboard" tab and start exploring your dashboards.

Info

Dashboards from the "*_demo" folders are examples for standalone channels. Others are representative of monitoring dashboards used on production platforms.