Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent.
Beta feature
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
Apache Tomcat is a free and open-source implementation of the jakarta servlet, jakarta expression language, and websocket technologies. It provides a pure java http web server environment in which java code can also run. Thus, it is a java web application server, although not a full JEE application server.
Use the Apache Tomcat integration to:
The Apache Tomcat integration collects logs and metrics data.
Logs help you keep a record of events that happen on your machine. The Log data streams collected by Apache Tomcat integration are access, catalina, and localhost, so that users can keep track of the IP addresses of the clients, bytes returned to the client or sent by clients, etc., so that users could monitor and troubleshoot the performance of Java applications.
Metrics give you insight into the statistics of the Apache Tomcat. The Metric data streams collected by the Apache Tomcat integration are cache and request, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance.
Data streams:
access: Collects information related to overall performance of Java applications.catalina: Collects information related to the startup and shutdown of the Apache Tomcat application server, the deployment of new applications, or the failure of one or more subsystems.localhost: Collects information related to Web application activity which is related to HTTP transactions between the application server and the client.cache: Collects information related to the overall cache of the Apache Tomcat instance.request: Collects information related to requests of the Apache Tomcat instance.Note:
logs-* index pattern from Discover, and for metrics, the index pattern is metrics-*.This integration has been tested against Apache Tomcat versions 10.1.5, 9.0.71 and 8.5.85, and Prometheus version 0.17.2.
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on your own hardware.
In order to ingest data from the Apache Tomcat, user must have
For step-by-step instructions on how to set up an integration, see the Getting started guide.
Here are the steps to configure Prometheus in Apache Tomcat instance:
Go to <tomcat_home>/webapps from Apache Tomcat instance.
Please find latest Prometheus version, replace in below command and perform from Apache Tomcat instance: -
wget https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/<prometheus_version>/jmx_prometheus_javaagent-<prometheus_version>.jarconfig.yml file in <tomcat_home>/webapps and paste the following content in config.yml file: -rules:
- pattern: ".*"/etc/systemd/system and add the following content in tomcat.service file: -Environment='JAVA_OPTS=-javaagent:<tomcat_home>/webapps/jmx_prometheus_javaagent-<prometheus_version>.jar=<prometheus_port>:/opt/tomcat/webapps/config.yml'systemctl daemon-reload
systemctl restart tomcatHere are the steps to configure Log format in Apache Tomcat instance:
Go to <tomcat_home>/conf/server.xml from Apache Tomcat instance.
The user can update the log format in the pattern field of the class org.apache.catalina.valves.AccessLogValve. Here is an example of the org.apache.catalina.valves.AccessLogValve class.
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern='%h %l %u %t "%r" %s %b %A %X %T "%{Referer}i" "%{User-Agent}i" X-Forwarded-For="%{X-Forwarded-For}i"' />Common Log Format :- '%h %l %u %t "%r" %s %b'
Combined Log Format :- '%h %l %u %t "%r" %s %b "%{Referrer}i" "%{User-Agent}i"'
Combined Log Format + X-Forwarded-For header :- '%h %l %u %t "%r" %s %b %A %X %T "%{Referer}i" "%{User-Agent}i" X-Forwarded-For="%{X-Forwarded-For}i"'systemctl restart tomcatNote:
You need the following information from your Apache Tomcat instance to configure this integration in Elastic:
Host Configuration Format: http[s]://<hostname>:<port>/<metrics_path>
Example Host Configuration: http://localhost:9090/metrics
After the integration is successfully configured, clicking on the Assets tab of the Apache Tomcat Integration should display a list of available dashboards. Click on the dashboard available for your configured data stream. It should be populated with the required data.
{
"error": {
"message": "unable to decode response from prometheus endpoint: error making http request: Get \"http://127.0.0.1/metrics\": dial tcp 127.0.0.1: connect: connection refused"
}
}This is the Access data stream. This data stream collects logs related to overall performance of Java applications.
An example event for access looks as following:
{
"@timestamp": "2023-05-02T10:23:04.000Z",
"agent": {
"ephemeral_id": "919ea0c0-7f5c-4fc9-b7cf-288a0f913454",
"id": "41c81fe5-7323-4e84-b501-ddad2fa3530a",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.7.0"
},
"apache_tomcat": {
"access": {
"http": {
"ident": "-",
"useragent": "-"
}
}
},
"data_stream": {
"dataset": "apache_tomcat.access",
"namespace": "ep",
"type": "logs"
},
"destination": {
"bytes": 11235
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "41c81fe5-7323-4e84-b501-ddad2fa3530a",
"snapshot": false,
"version": "8.7.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"web"
],
"dataset": "apache_tomcat.access",
"ingested": "2023-05-02T10:23:27Z",
"kind": "event",
"module": "apache_tomcat",
"original": "127.0.0.1 - - [02/May/2023:10:23:04 +0000] \"GET / HTTP/1.1\" 200 11235",
"outcome": "success",
"type": [
"access"
]
},
"http": {
"request": {
"method": "GET"
},
"response": {
"status_code": 200
},
"version": "1.1"
},
"input": {
"type": "filestream"
},
"log": {
"file": {
"path": "/tmp/service_logs/localhost_access_log.2023-05-02.txt"
},
"offset": 0
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"ip": "127.0.0.1"
},
"tags": [
"preserve_original_event",
"forwarded",
"apache_tomcat-access"
],
"url": {
"original": "/",
"path": "/"
}
}Exported fields
| Field | Description | Type | Unit |
|---|---|---|---|
@timestamp | Event timestamp. | date | |
apache_tomcat.access.connection_status | Connection status when response is completed. | keyword | |
apache_tomcat.access.header_forwarder | Header forwarder of log. | ip | |
apache_tomcat.access.http.ident | Remote logical username from identd. | keyword | |
apache_tomcat.access.http.useragent | The user id of the authenticated user requesting the page (if HTTP authentication is used). | keyword | |
apache_tomcat.access.ip.local | Local IP address. | ip | |
apache_tomcat.access.response_time | Response time of the endpoint. | double | s |
data_stream.dataset | Data stream dataset. | constant_keyword | |
data_stream.namespace | Data stream namespace. | constant_keyword | |
data_stream.type | Data stream type. | constant_keyword | |
destination.bytes | Bytes sent from the destination to the source. | long | |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
error.message | Error message. | match_only_text | |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword | |
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference. | keyword | |
event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense. | keyword | |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | |
http.request.method | HTTP request method. The value should retain its casing from the original event. For example, GET, get, and GeT are all considered valid values for this field. | keyword | |
http.request.referrer | Referrer for this HTTP request. | keyword | |
http.response.status_code | HTTP response status code. | long | |
http.version | HTTP version. | keyword | |
input.type | Type of Filebeat input. | keyword | |
log.offset | Log offset. | long | |
related.ip | All of the IPs seen on your event. | ip | |
source.ip | IP address of the source (IPv4 or IPv6). | ip | |
tags | List of keywords used to tag each event. | keyword | |
url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | |
url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | |
url.original.text | Multi-field of url.original. | match_only_text | |
url.path | Path of the request, such as "/search". | wildcard | |
user_agent.device.name | Name of the device. | keyword | |
user_agent.name | Name of the user agent. | keyword | |
user_agent.original | Unparsed user_agent string. | keyword | |
user_agent.original.text | Multi-field of user_agent.original. | match_only_text | |
user_agent.os.full | Operating system name, including the version or code name. | keyword | |
user_agent.os.full.text | Multi-field of user_agent.os.full. | match_only_text | |
user_agent.os.name | Operating system name, without the version. | keyword | |
user_agent.os.name.text | Multi-field of user_agent.os.name. | match_only_text | |
user_agent.os.version | Operating system version as a raw string. | keyword | |
user_agent.version | Version of the user agent. | keyword |
This is the Catalina data stream. This data stream collects logs related to the startup and shutdown of the Apache Tomcat application server, the deployment of new applications, or the failure of one or more subsystems.
An example event for catalina looks as following:
{
"@timestamp": "2023-05-05T11:09:44.042Z",
"agent": {
"ephemeral_id": "58b8cc5c-7b20-44e5-b16d-5964d7fd38e6",
"id": "3fe5ea83-99fe-41e9-bab5-bb8b1ca208a7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.7.0"
},
"apache_tomcat": {
"catalina": {
"subsystem": "main"
}
},
"data_stream": {
"dataset": "apache_tomcat.catalina",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "3fe5ea83-99fe-41e9-bab5-bb8b1ca208a7",
"snapshot": false,
"version": "8.7.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"web"
],
"dataset": "apache_tomcat.catalina",
"ingested": "2023-05-05T11:10:38Z",
"kind": "event",
"module": "apache_tomcat",
"original": "05-May-2023 11:09:44.042 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/10.1.5",
"timezone": "UTC",
"type": [
"info"
]
},
"input": {
"type": "filestream"
},
"log": {
"file": {
"path": "/tmp/service_logs/catalina.2023-05-05.log"
},
"level": "info",
"offset": 0
},
"message": "org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/10.1.5",
"tags": [
"preserve_original_event",
"forwarded",
"apache_tomcat-catalina"
]
}Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
apache_tomcat.catalina.subsystem | Indicates Apache Tomcat’s subsystem or the type of the module that was the source of the message. For example, RBPM or Java Messaging Service (JMS). | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
error.message | Error message. | match_only_text |
error.stack_trace | The stack trace of this error in plain text. | wildcard |
error.stack_trace.text | Multi-field of error.stack_trace. | match_only_text |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword |
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference. | keyword |
event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
input.type | Type of Filebeat input. | keyword |
log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in log.level. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are warn, err, i, informational. | keyword |
log.offset | Log offset. | long |
message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
tags | List of keywords used to tag each event. | keyword |
This is the Localhost data stream. This data stream collects logs related to Web application activity which is related to HTTP transactions between the application server and the client.
An example event for localhost looks as following:
{
"@timestamp": "2023-02-23T15:40:03.711Z",
"agent": {
"ephemeral_id": "1c262e48-33d7-484b-9071-cad47144bc3f",
"id": "3fe5ea83-99fe-41e9-bab5-bb8b1ca208a7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.7.0"
},
"apache_tomcat": {
"localhost": {
"subsystem": "localhost-startStop-1"
}
},
"data_stream": {
"dataset": "apache_tomcat.localhost",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "3fe5ea83-99fe-41e9-bab5-bb8b1ca208a7",
"snapshot": false,
"version": "8.7.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"web"
],
"dataset": "apache_tomcat.localhost",
"ingested": "2023-05-05T11:12:17Z",
"kind": "event",
"module": "apache_tomcat",
"original": "23-Feb-2023 15:40:03.711 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log ContextListener: contextInitialized()",
"timezone": "UTC",
"type": [
"info"
]
},
"input": {
"type": "filestream"
},
"log": {
"file": {
"path": "/tmp/service_logs/localhost.log"
},
"level": "info",
"offset": 0
},
"message": "org.apache.catalina.core.ApplicationContext.log ContextListener: contextInitialized()",
"tags": [
"preserve_original_event",
"forwarded",
"apache_tomcat-localhost"
]
}Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Event timestamp. | date |
apache_tomcat.localhost.subsystem | Indicates Apache Tomcat’s subsystem or the type of the module that was the source of the message. For example, RBPM or Java Messaging Service (JMS). | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
error.message | Error message. | match_only_text |
error.stack_trace | The stack trace of this error in plain text. | wildcard |
error.stack_trace.text | Multi-field of error.stack_trace. | match_only_text |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword |
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference. | keyword |
event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
input.type | Type of Filebeat input. | keyword |
log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in log.level. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are warn, err, i, informational. | keyword |
log.offset | Log offset. | long |
message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
tags | List of keywords used to tag each event. | keyword |
This is the Cache data stream. This data stream collects metrics related to the size of the cache and time-to-live for cache entries.
An example event for cache looks as following:
{
"@timestamp": "2023-05-02T10:24:35.071Z",
"agent": {
"ephemeral_id": "50b70c68-699c-4bb6-9e46-1d19f2f971e1",
"id": "41c81fe5-7323-4e84-b501-ddad2fa3530a",
"name": "docker-fleet-agent",
"type": "metricbeat",
"version": "8.7.0"
},
"apache_tomcat": {
"cache": {
"application_name": "/",
"hit": {
"count": 15
},
"lookup": {
"count": 30
},
"object": {
"size": {
"max": {
"kb": 512
}
}
},
"size": {
"current": {
"kb": 19
},
"max": {
"kb": 10240
}
},
"ttl": {
"ms": 5000
}
}
},
"data_stream": {
"dataset": "apache_tomcat.cache",
"namespace": "ep",
"type": "metrics"
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "41c81fe5-7323-4e84-b501-ddad2fa3530a",
"snapshot": false,
"version": "8.7.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"web"
],
"dataset": "apache_tomcat.cache",
"duration": 295546716,
"ingested": "2023-05-02T10:24:39Z",
"kind": "metric",
"module": "apache_tomcat",
"type": [
"info"
]
},
"host": {
"architecture": "x86_64",
"containerized": true,
"hostname": "docker-fleet-agent",
"id": "cdea87653a5e4f29905ca04b74758604",
"ip": [
"172.31.0.4"
],
"mac": [
"02-42-AC-1F-00-04"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "3.10.0-1160.88.1.el7.x86_64",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.5 LTS (Focal Fossa)"
}
},
"metricset": {
"name": "collector",
"period": 10000
},
"service": {
"address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
"type": "prometheus"
},
"tags": [
"forwarded",
"apache_tomcat-cache"
]
}Exported fields
| Field | Description | Type | Unit | Metric Type |
|---|---|---|---|---|
@timestamp | Event timestamp. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
apache_tomcat.cache.application_name | Name of the Apache Tomcat application. | keyword | ||
apache_tomcat.cache.hit.count | The number of requests for resources that were served from the cache. | double | gauge | |
apache_tomcat.cache.lookup.count | The number of requests for resources. | double | gauge | |
apache_tomcat.cache.object.size.max.kb | The maximum permitted size for a single object in the cache in kB. | double | gauge | |
apache_tomcat.cache.size.current.kb | The current estimate of the cache size in kB. | double | gauge | |
apache_tomcat.cache.size.max.kb | The maximum permitted size of the cache in kB. | double | gauge | |
apache_tomcat.cache.ttl.ms | The time-to-live for cache entries in milliseconds. | double | ms | gauge |
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | Data stream dataset. | constant_keyword | ||
data_stream.namespace | Data stream namespace. | constant_keyword | ||
data_stream.type | Data stream type. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
error.message | Error message. | match_only_text | ||
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | ||
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword | ||
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
tags | List of keywords used to tag each event. | keyword |
This is the Request data stream. This data stream collects metrics related to request count, and amount of data received and sent.
An example event for request looks as following:
{
"@timestamp": "2023-05-02T10:28:11.414Z",
"agent": {
"ephemeral_id": "f49b0637-5820-4155-bed9-519e4db4148a",
"id": "41c81fe5-7323-4e84-b501-ddad2fa3530a",
"name": "docker-fleet-agent",
"type": "metricbeat",
"version": "8.7.0"
},
"apache_tomcat": {
"request": {
"count": 1,
"error": {
"count": 0
},
"nio_connector": "http-nio-8080",
"received": {
"bytes": 0
},
"sent": {
"bytes": 11215
},
"time": {
"max": 1112,
"total": 1112
}
}
},
"data_stream": {
"dataset": "apache_tomcat.request",
"namespace": "ep",
"type": "metrics"
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "41c81fe5-7323-4e84-b501-ddad2fa3530a",
"snapshot": false,
"version": "8.7.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"web"
],
"dataset": "apache_tomcat.request",
"duration": 317506732,
"ingested": "2023-05-02T10:28:15Z",
"kind": "metric",
"module": "apache_tomcat",
"type": [
"info"
]
},
"host": {
"architecture": "x86_64",
"containerized": true,
"hostname": "docker-fleet-agent",
"id": "cdea87653a5e4f29905ca04b74758604",
"ip": [
"172.31.0.4"
],
"mac": [
"02-42-AC-1F-00-04"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "3.10.0-1160.88.1.el7.x86_64",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.5 LTS (Focal Fossa)"
}
},
"metricset": {
"name": "collector",
"period": 10000
},
"service": {
"address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
"type": "prometheus"
},
"tags": [
"forwarded",
"apache_tomcat-request"
]
}Exported fields
| Field | Description | Type | Unit | Metric Type |
|---|---|---|---|---|
@timestamp | Event timestamp. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
apache_tomcat.request.count | Number of requests processed. | double | counter | |
apache_tomcat.request.error.count | Number of errors. | double | gauge | |
apache_tomcat.request.nio_connector | Name of NIO Connector. | keyword | ||
apache_tomcat.request.received.bytes | Amount of data received, in bytes. | double | byte | counter |
apache_tomcat.request.sent.bytes | Amount of data sent, in bytes. | double | byte | counter |
apache_tomcat.request.time.max | Maximum time(ms) to process a request. | double | ms | counter |
apache_tomcat.request.time.total | Total time(ms) to process the requests. | double | ms | counter |
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | Data stream dataset. | constant_keyword | ||
data_stream.namespace | Data stream namespace. | constant_keyword | ||
data_stream.type | Data stream type. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
error.message | Error message. | match_only_text | ||
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | ||
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | keyword | ||
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
tags | List of keywords used to tag each event. | keyword |
| Version | Details |
|---|---|
0.6.0 | Enhancement View pull request Rename ownership from obs-service-integrations to obs-infraobs-integrations |
0.5.1 | Bug fix View pull request Remove Localhost dashboard and update saved searches. |
0.5.0 | Enhancement View pull request Apache Tomcat integration package with "access" data stream. |
0.4.0 | Enhancement View pull request Apache Tomcat integration package with "localhost" data stream. |
0.3.0 | Enhancement View pull request Apache Tomcat integration package with "request" data stream. |
0.2.0 | Enhancement View pull request Apache Tomcat integration package with "cache" data stream. |
0.1.0 | Enhancement View pull request Apache Tomcat integration package with "catalina" data stream. |