Power Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

Monitor AIX with elastic beats: Observability on AIX

By Aditya Kamath posted Mon July 14, 2025 03:34 AM

  

Elastic beats are lightweight agents used to ship data to Elasticsearch. Elastic offers distinct Beats for metrics, uptime, logs, and other kinds of data. Installing many shippers on a single host may be necessary, depending on the data you wish to gather. If you have Elasticsearch and Kibana in Linux, then you can monitor AIX data using Elastic Beats. 

Beats version 8.17.1 is now available in the AIX toolbox. Currently we have Metricbeat, Filebeat, and Auditbeat.

To install Beats in AIX, do the following:

dnf install metricbeat auditbeat filebeat

What beats are available in AIX?

Metricbeat—System and application metrics

What it does: Gathers CPU, memory, disk, file system, and process metrics.

Use case: Monitor AIX performance, detect resource exhaustion, and view metrics in the Kibana dashboard.

Sample YAML config file:

# cat metricbeat_cpu.yml 
metricbeat.modules:
  - module: system
    period: 5s
    metricsets:
      - cpu
      - filesystem
      - memory
      - process
    include_cpu_ticks: false

output.elasticsearch:
  hosts: ["https://<Your_IP_Address"]
  username: elastic
  password: <Your_password>
  ssl.verification_mode: none

To run, use: metricbeat -e -c metricbeat.yml

Sample metrics view from kibana

Filebeat—Log File Harvester

What it does: Reads and ships logs line by line.

Use case: Monitor logs like /var/syslog, app logs, and custom directories. Centralize logs from AIX servers into Linux-hosted Elasticsearch.

# cat filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /tmp/testlog.log   # The file you want Filebeat to read

output.elasticsearch:
  hosts: ["https://<Your_IP_Address"]
  username: elastic
  password: <Your_password>
  ssl.verification_mode: none

logging.level: info
logging.to_files: true
logging.files:
  path: "/tmp/filebeat-logs"
  name: filebeat.log
  keepfiles: 3
  permissions: 0644

To run, use: filebeat -e -c filebeat.yml

Sample filebeat beat view

Auditbeat - File integrity and Activity monitoring

What it does: Tracks file changes and user activity.

Use case: Track tampering with scripts, binaries, or cron jobs—useful for compliance and doing file/directory-level monitoring.

Sample YAML config file:

# cat auditbeat.yml 
auditbeat.modules:
- module: file_integrity
  paths:
    - /tmp/testdir

output.elasticsearch:
  hosts: ["https://<Your_IP_Address"]
  username: elastic
  password: <Your_password>
  ssl.verification_mode: none

logging.level: debug 
logging.to_files: true
logging.files:
  path: "/tmp/auditbeat-logs"
  name: auditbeat.log
  keepfiles: 3
  permissions: 0644

To run, use: auditbeat -e -c auditbeat.yml

Sample audit beat view

Additional Information

Find more content about elastic Beats and each beat here.

Content about installing Kibana in Linux: https://www.elastic.co/docs/deploy-manage/deploy/self-managed/install-kibana.

Regards,
Toolbox team.


#AIXOpenSource
4 comments
40 views

Permalink

https://community.ibm.com/community/user/blogs/aditya-kamath/2025/07/14/monitor-aix-with-elastic-beats-observability-on-ai

Comments

Aditya Kamath
4 days ago

@Felipe Villagran

Thank you for reaching out. We are analyzing. We will make it consistent in AIX and fix it in the metric beat code if that is the expected behavior. Will get back soon.  

Felipe Villagran
5 days ago

Hi everyone,

I'm using Metricbeat on AIX servers and noticed an unexpected behavior in the system.filesystem module.

When running df -h on AIX, the output correctly shows the logical volume and its mount point, for example:

Filesystem         Mounted on
/dev/defaultlv     /opt/default

However, the data sent by Metricbeat to Elasticsearch shows the fields inverted:

  • system.filesystem.device_name: /opt/default
  • system.filesystem.mount_point: /dev/defaultlv

This is inconsistent with how Metricbeat behaves on Linux, where:

  • device_name refers to the device (e.g., /dev/sda1)
  • mount_point refers to the mount path (e.g., /)

❓ Question

Has anyone else encountered this issue on AIX?
Is there a known workaround or fix for this behavior?
Could this be a bug in the AIX module of Metricbeat?

Any help or guidance would be greatly appreciated.

Thanks,
Felipe

Aditya Kamath
5 days ago

@Todd Winkler

You can ask your questions here. Kindly go ahead.

Todd Winkler
8 days ago

Who can help me with some questions on this software?