Power Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

Monitor AIX with elastic beats: Observability on AIX

By Aditya Kamath posted Mon July 14, 2025 03:34 AM

  

Elastic beats are lightweight agents used to ship data to Elasticsearch. Elastic offers distinct Beats for metrics, uptime, logs, and other kinds of data. Installing many shippers on a single host may be necessary, depending on the data you wish to gather. If you have Elasticsearch and Kibana in Linux, then you can monitor AIX data using Elastic Beats. 

Beats version 8.17.1 is now available in the AIX toolbox. Currently we have Metricbeat, Filebeat, and Auditbeat.

To install Beats in AIX, do the following:

dnf install metricbeat auditbeat filebeat

What beats are available in AIX?

Metricbeat—System and application metrics

What it does: Gathers CPU, memory, disk, file system, and process metrics.

Use case: Monitor AIX performance, detect resource exhaustion, and view metrics in the Kibana dashboard.

Sample YAML config file:

# cat metricbeat_cpu.yml 
metricbeat.modules:
  - module: system
    period: 5s
    metricsets:
      - cpu
      - filesystem
      - memory
      - process
    include_cpu_ticks: false

output.elasticsearch:
  hosts: ["https://<Your_IP_Address"]
  username: elastic
  password: <Your_password>
  ssl.verification_mode: none

To run, use: metricbeat -e -c metricbeat.yml

Sample metrics view from kibana

Filebeat—Log File Harvester

What it does: Reads and ships logs line by line.

Use case: Monitor logs like /var/syslog, app logs, and custom directories. Centralize logs from AIX servers into Linux-hosted Elasticsearch.

# cat filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /tmp/testlog.log   # The file you want Filebeat to read

output.elasticsearch:
  hosts: ["https://<Your_IP_Address"]
  username: elastic
  password: <Your_password>
  ssl.verification_mode: none

logging.level: info
logging.to_files: true
logging.files:
  path: "/tmp/filebeat-logs"
  name: filebeat.log
  keepfiles: 3
  permissions: 0644

To run, use: filebeat -e -c filebeat.yml

Sample filebeat beat view

Auditbeat - File integrity and Activity monitoring

What it does: Tracks file changes and user activity.

Use case: Track tampering with scripts, binaries, or cron jobs—useful for compliance and doing file/directory-level monitoring.

Sample YAML config file:

# cat auditbeat.yml 
auditbeat.modules:
- module: file_integrity
  paths:
    - /tmp/testdir

output.elasticsearch:
  hosts: ["https://<Your_IP_Address"]
  username: elastic
  password: <Your_password>
  ssl.verification_mode: none

logging.level: debug 
logging.to_files: true
logging.files:
  path: "/tmp/auditbeat-logs"
  name: auditbeat.log
  keepfiles: 3
  permissions: 0644

To run, use: auditbeat -e -c auditbeat.yml

Sample audit beat view

Additional Information

Find more content about elastic Beats and each beat here.

Content about installing Kibana in Linux: https://www.elastic.co/docs/deploy-manage/deploy/self-managed/install-kibana.

Regards,
Toolbox team.


#AIXOpenSource
20 comments
106 views

Permalink

https://community.ibm.com/community/user/blogs/aditya-kamath/2025/07/14/monitor-aix-with-elastic-beats-observability-on-ai

Comments

Sirak Shiferaw
5 hours ago

i just converted everything into a service and i don't have to worry about the requested parameter or change any os config, thank you all for the comment

mkssys \
  -s metricbeat \
  -p /opt/freeware/bin/metricbeat \
  -a "run --path.config=/opt/freeware/etc/metricbeat --path.data=/opt/freeware/var/lib/metricbeat --path.logs=/opt/freeware/var/log/metricbeat" \
  -u 0 \
  -S \
  -n 15 \
  -f 9 \
  -R \
  -G elastic

and start as a backgroud service with

lssrc -s metricbeat

startsrc -s metricbeat

Aditya Kamath
12 hours ago

@Sirak Shiferaw @Felipe Villagran

Kindly export PATH=/opt/freeware/bin:$PATH and then try. You may want to store it in .~/bashrc profile.

Felipe Villagran
23 hours ago

@Sirak Shiferaw Try with this command. It should work.

/opt/freeware/bin/metricbeat -e -c /opt/freeware/etc/metricbeat/metricbeat.yml

Sirak Shiferaw
23 hours ago

for some reason i need to run full command otherwise its not loading active module

./metricbeat run \
  --path.config=/opt/freeware/etc/metricbeat \
  --path.data=/opt/freeware/var/lib/metricbeat \
  --path.logs=/opt/freeware/var/log/metricbeat \
  -e

Aditya Kamath
13 days ago

@Felipe Villagran
Update is available.

Felipe Villagran
13 days ago

@Aditya Kamath Thank you very much for the update!

Aditya Kamath
14 days ago

@Felipe Villagran
Wanted to inform you. 
I have given beats 8.17.1-3 with the bug fixes and swap metrics addition to upload, which will be done by this Friday (5/12/2025) or the coming Monday (8/12/2025), after which do run dnf update. 

Thanks.@Felipe Villagran

Aditya Kamath
27 days ago

@Felipe Villagran

The numbers of the script match the beats output. So we are okay. 

Thanks for the same. Expect the fix and SWAP metric in 8.17. 1 release 3 in coming weeks. [22 Nov - 30 Nov]

Felipe Villagran
28 days ago

@Aditya Kamath Filesystem output looks good, for SWAP metrics this should be the output. 

    "system": {
      "memory": {
        "actual": {
          "free": 19973455872,
          "used": {
            "bytes": 11295678464,
            "pct": 0.361
          }
        },
        "cached": 8370790400,
        "free": 1359364096,
        "swap": {
          "free": 3913539584,
          "total": 4244631552,
          "used": {
            "bytes": 331091968,
            "pct": 0.078
          }
        },
        "total": 31269134336,
        "used": {
          "bytes": 29909770240,
          "pct": 0.957
        }
      }
    }
I have this script to get the information in same format. 
#!/bin/ksh
swap_info=$(lsps -s | tail -1)
total=$(echo $swap_info | awk '{print $1}' | sed 's/MB//')
used_pct=$(echo $swap_info | awk '{print $2}' | sed 's/%//')

# Convert to bytes
total_bytes=$((total * 1024 * 1024))
used_bytes=$((total_bytes * used_pct / 100))
free_bytes=$((total_bytes - used_bytes))

echo "{\"swap\": {\"total\": $total_bytes, \"free\": $free_bytes, \"used\": {\"bytes\": $used_bytes, \"pct\": $(echo "scale=3; $used_pct/100" | bc)}}}"
Thank you very much for your support.

Aditya Kamath
28 days ago

@Felipe Villagran

Thank you very much for reporting this. Yes, we missed this in our test buckets. 

I have quickly corrected the same. As a priority, we will release 8.17.1-3 next week. Please see the output named as corrected output below.

As a token of gratitude, we have also implemented the SWAP metrics on priority within beats to be released along the same version. Please see how the JSON will look in AIX in the output named Swap Metrics.


We want one confirmation so the requirement is clear. By swap metrics are you referring to the lsps -a or lsps -s output in AIX? If that is the one, then we have implemented the same and expect it next week. Else let us know.

Let me know. Once again, thank you for reporting the issue and using in beats in AIX. 
========= Swap Metrics ==========
"system": {
    "memory": {
      "free": 6677639168,
      "actual": {
        "free": 33434894336,
        "used": {
          "pct": 0.2215,
          "bytes": 9514778624
        }
      },
      "swap": {
        "used": {
          "bytes": 94457856,
          "pct": 0.001
        },
        "free": 93857951744,
        "total": 93952409600
      },
========== Corrected output ==================


"system": {
    "filesystem": {
      "mount_point": "/opt",
      "device_name": "/dev/hd10opt",
      "type": "jfs2",
      "total": 22682796032,
      "free": 1201262592,
      "available": 1201262592,
      "used": {
        "pct": 0.947,
        "bytes": 21481533440
      }

 "system": {
    "filesystem": {
      "mount_point": "/home",
      "device_name": "/dev/hd1",
      "type": "jfs2",
      "total": 25098715136,
      "free": 1937272832,
      "available": 1937272832,
      "used": {
        "bytes": 23161442304,
        "pct": 0.9228
      }
    }
  },


# df -H
Filesystem                                        Size  Used Avail Use% Mounted on
/dev/hd4                                           30G   20G   11G  65% /
/dev/hd2                                           11G   10G  430M  96% /usr
/dev/hd9var                                       2.1G  1.2G  880M  57% /var
/dev/hd3                                          3.8G  195M  3.6G   6% /tmp
/dev/hd1                                           26G   24G  2.0G  93% /home
/dev/hd11admin                                    135M  390k  134M   1% /admin
/ahafs                                               -     -     0    - /aha
/dev/hd10opt                                       23G   22G  1.3G  95% /opt
/dev/livedump                                     269M  377k  269M   1% /var/adm/ras/livedump
9.18.2.83:/cst-storage/awx-exp/aix_multi_updater  322G  149G  174G  47% /tmp/patch

Felipe Villagran
28 days ago

Hi @Aditya Kamath

Now is showing same data for All the filesystem something was wrong with this new version. Please your help to fix this and add Swap metrics. We appreciate your support.

Disk/Filesystem    % Disk Used    Free Space    Total Space
/tmp    78.50%    275.7MB    1.3GB
/usr    78.50%    275.7MB    1.3GB
/var    78.50%    275.7MB    1.3GB

Aditya Kamath
Fri November 14, 2025 12:19 PM

Hi @Felipe Villagran,

Yes, the fix is uploaded in toolbox. Kindly run dnf update metricbeat auditbeat filebeat. 

Felipe Villagran
Fri November 14, 2025 10:43 AM

Hi @Aditya Kamath , Do you have news about new releases? Please your comments. Thank you.

Aditya Kamath
Mon October 27, 2025 02:23 AM

@Felipe Villagran,

Yes, it is possible to remove unsupported modules. I have removed the garble_macho_executable file from the release 2 RPM releasing this week. Thanks.

We will need some time to develop SWAP metrics. We will plan this and get back. 

Felipe Villagran
Fri October 24, 2025 09:29 AM

Hi @Aditya Kamath,

Thank you for your quick response.

We are currently in the testing phase and have noticed that the SWAP metrics are not being reported—only RAM metrics are visible, and SWAP data appears to be missing.

On another note, regarding Auditbeat, we had to remove the file_integrity module due to a potential threat detection. It seems this module is not compatible with AIX. Is it possible to exclude or remove unsupported modules from the AIX version of Auditbeat?

Details:

  • Path: /opt/freeware/share/auditbeat/module/file_integrity/testdata/garble_macho_executable
  • Threat Name: RDN/Generic.osx

Thank you in advance for your support.

Aditya Kamath
Fri October 24, 2025 12:24 AM

@Felipe Villagran

We have made corrections in the metric beat code.

In the updated one, the mount point and device name will be shown correctly as below. Thank you for reaching out. Expect the fixed RPMS next week. 

  "system": {
    "filesystem": {
      "free": 4633706496,
      "available": 4633706496,
      "used": {
        "pct": 0.8445,
        "bytes": 25162629120
      },
      "mount_point": "/tmp",
      "device_name": "/dev/hd3",
      "type": "jfs2",
      "total": 29796335616
    }
  },

Aditya Kamath
Tue October 14, 2025 09:43 AM

@Felipe Villagran

Thank you for reaching out. We are analyzing. We will make it consistent in AIX and fix it in the metric beat code if that is the expected behavior. Will get back soon.  

Felipe Villagran
Mon October 13, 2025 03:49 PM

Hi everyone,

I'm using Metricbeat on AIX servers and noticed an unexpected behavior in the system.filesystem module.

When running df -h on AIX, the output correctly shows the logical volume and its mount point, for example:

Filesystem         Mounted on
/dev/defaultlv     /opt/default

However, the data sent by Metricbeat to Elasticsearch shows the fields inverted:

  • system.filesystem.device_name: /opt/default
  • system.filesystem.mount_point: /dev/defaultlv

This is inconsistent with how Metricbeat behaves on Linux, where:

  • device_name refers to the device (e.g., /dev/sda1)
  • mount_point refers to the mount path (e.g., /)

❓ Question

Has anyone else encountered this issue on AIX?
Is there a known workaround or fix for this behavior?
Could this be a bug in the AIX module of Metricbeat?

Any help or guidance would be greatly appreciated.

Thanks,
Felipe

Aditya Kamath
Sun October 12, 2025 09:57 PM

@Todd Winkler

You can ask your questions here. Kindly go ahead.

Todd Winkler
Fri October 10, 2025 10:10 AM

Who can help me with some questions on this software?