Last active
September 12, 2023 12:56
-
-
Save mazoutte/875b3d4cbdae0c1a416b75ee2f3208df to your computer and use it in GitHub Desktop.
Metricbeat 7.17.9 - Active Directory - All NTDS perfmon counters 2012R2/+ - DNS/KDC/Netlogon examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Tested with Metricbeat 7.17.9 | |
| ### NTDS, DNS, KDC, Netlogon Counters | |
| ### Updates with new Perfmon Queries - mandatory in 8.x | |
| ### Fields format that would be generated : windows.perfmon.metrics.ntds_ab_anr_sec (dots are "renamed" to underscores under windows.perfmon.metrics.*) | |
| ### Now it's compliant with ECS field format, be careful with your actual metricbeat mapping templates. | |
| - module: windows | |
| metricsets: ["perfmon"] | |
| period: 10s | |
| perfmon.ignore_non_existent_counters: true | |
| perfmon.group_measurements_by_instance: true | |
| # NTDS | |
| perfmon.queries: | |
| - object: "DirectoryServices" | |
| instance: ["NTDS"] | |
| counters: | |
| - name: "AB ANR/sec" | |
| field: ntds.ab.anr.sec | |
| format: "float" | |
| - name: "AB Browses/sec" | |
| field: ntds.ab.browses.sec | |
| format: "float" | |
| - name: "AB Client Sessions" | |
| field: ntds.ab.client.sessions | |
| format: "float" | |
| - name: "AB Matches/sec" | |
| field: ntds.ab.matches.sec | |
| format: "float" | |
| - name: "AB Property Reads/sec" | |
| field: ntds.ab.prop.reads.sec | |
| format: "float" | |
| - name: "AB Proxy Lookups/sec" | |
| field: ntds.ab.proxy.lookups.sec | |
| format: "float" | |
| - name: "AB Searches/sec" | |
| field: ntds.ab.searches.sec | |
| format: "float" | |
| - name: "Approximate highest DNT" | |
| field: ntds.approx.highest.dnt | |
| format: "float" | |
| - name: "ATQ Estimated Queue Delay" | |
| field: ntds.atq.estimated.queue.delay | |
| format: "float" | |
| - name: "ATQ Outstanding Queued Requests" | |
| field: ntds.atq.outstanding.queued.requests | |
| format: "float" | |
| - name: "ATQ Request Latency" | |
| field: ntds.atq.request.latency | |
| format: "float" | |
| - name: "ATQ Threads LDAP" | |
| field: ntds.atq.threads.ldap | |
| format: "float" | |
| - name: "ATQ Threads Other" | |
| field: ntds.atq.threads.other | |
| format: "float" | |
| - name: "ATQ Threads Total" | |
| field: ntds.atq.threads.total | |
| format: "float" | |
| - name: "Base searches/sec" | |
| field: ntds.db.searches.sec | |
| format: "float" | |
| - name: "Database adds/sec" | |
| field: ntds.db.adds.sec | |
| format: "float" | |
| - name: "Database deletes/sec" | |
| field: ntds.db.deletes.sec | |
| format: "float" | |
| - name: "Database modifys/sec" | |
| field: ntds.db.modifys.sec | |
| format: "float" | |
| - name: "Database recycles/sec" | |
| field: ntds.db.recycles.sec | |
| format: "float" | |
| - name: "Digest Binds/sec" | |
| field: ntds.digest.binds.sec | |
| format: "float" | |
| - name: "DirSync session throttling rate" | |
| field: ntds.dirsync.session.throttling.rate | |
| format: "float" | |
| - name: "DirSync sessions in progress" | |
| field: ntds.dirsync.sessions.inprogress | |
| format: "float" | |
| - name: "DRA Highest USN Committed (High part)" | |
| field: ntds.dra.highest.usn.committed.highpart | |
| format: "float" | |
| - name: "DRA Highest USN Committed (Low part)" | |
| field: ntds.dra.highest.usn.committed.lowpart | |
| format: "float" | |
| - name: "DRA Highest USN Issued (High part)" | |
| field: ntds.dra.highest.usn.issued.highpart | |
| format: "float" | |
| - name: "DRA Highest USN Issued (Low part)" | |
| field: ntds.dra.highest.usn.issued.lowpart | |
| format: "float" | |
| - name: "DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot" | |
| field: ntds.dra.inbound.bytes.comp.intersite.aftercomp.boot | |
| format: "float" | |
| - name: "DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec" | |
| field: ntds.dra.inbound.bytes.comp.intersite.aftercomp.sec | |
| format: "float" | |
| - name: "DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot" | |
| field: ntds.dra.inbound.bytes.comp.intersite.beforecomp.boot | |
| format: "float" | |
| - name: "DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec" | |
| field: ntds.dra.inbound.bytes.comp.intersite.beforecomp.sec | |
| format: "float" | |
| - name: "DRA Inbound Bytes Not Compressed (Within Site) Since Boot" | |
| field: ntds.dra.inbound.bytes.notcomp.intrasite.boot | |
| format: "float" | |
| - name: "DRA Inbound Bytes Not Compressed (Within Site)/sec" | |
| field: ntds.dra.inbound.bytes.notcomp.intrasite.sec | |
| format: "float" | |
| - name: "DRA Inbound Bytes Total Since Boot" | |
| field: ntds.dra.inbound.bytes.total.boot | |
| format: "float" | |
| - name: "DRA Inbound Bytes Total/sec" | |
| field: ntds.dra.inbound.bytes.total.sec | |
| format: "float" | |
| - name: "DRA Inbound Full Sync Objects Remaining" | |
| field: ntds.dra.inbound.fullsync.objectsremaining | |
| format: "float" | |
| - name: "DRA Inbound Link Value Updates Remaining in Packet" | |
| field: ntds.dra.inbound.link.updates.remaining.inpacket | |
| format: "float" | |
| - name: "DRA Inbound Object Updates Remaining in Packet" | |
| field: ntds.dra.inbound.object.updates.remaining.inpacket | |
| format: "float" | |
| - name: "DRA Inbound Objects Applied/sec" | |
| field: ntds.dra.inbound.objects.applied.sec | |
| format: "float" | |
| - name: "DRA Inbound Objects Filtered/sec" | |
| field: ntds.dra.inbound.objects.filtered.sec | |
| format: "float" | |
| - name: "DRA Inbound Objects/sec" | |
| field: ntds.dra.inbound.objects.sec | |
| format: "float" | |
| - name: "DRA Inbound Properties Applied/sec" | |
| field: ntds.dra.inbound.prop.applied.sec | |
| format: "float" | |
| - name: "DRA Inbound Properties Filtered/sec" | |
| field: ntds.dra.inbound.prop.filtered.sec | |
| format: "float" | |
| - name: "DRA Inbound Properties Total/sec" | |
| field: ntds.dra.inbound.prop.total.sec | |
| format: "float" | |
| - name: "DRA Inbound Sync Link Deletion/sec" | |
| field: ntds.dra.inbound.sync.link.deletion.sec | |
| format: "float" | |
| - name: "DRA Inbound Total Updates Remaining in Packet" | |
| field: ntds.dra.inbound.total.updates.remaining.inpacket | |
| format: "float" | |
| - name: "DRA Inbound Values (DNs only)/sec" | |
| field: ntds.dra.inbound.values.dnonly.sec | |
| format: "float" | |
| - name: "DRA Inbound Values Total/sec" | |
| field: ntds.dra.inbound.values.total.sec | |
| format: "float" | |
| - name: "DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot" | |
| field: ntds.dra.outbound.bytes.comp.intersite.aftercomp.boot | |
| format: "float" | |
| - name: "DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec" | |
| field: ntds.dra.outbound.bytes.comp.intersite.aftercomp.sec | |
| format: "float" | |
| - name: "DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot" | |
| field: ntds.dra.outbound.bytes.comp.intersite.beforecomp.boot | |
| format: "float" | |
| - name: "DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec" | |
| field: ntds.dra.outbound.bytes.comp.intersite.beforecomp.sec | |
| format: "float" | |
| - name: "DRA Outbound Bytes Not Compressed (Within Site) Since Boot" | |
| field: ntds.dra.outbound.bytes.notcomp.intrasite.boot | |
| format: "float" | |
| - name: "DRA Outbound Bytes Not Compressed (Within Site)/sec" | |
| field: ntds.dra.outbound.bytes.notcomp.intrasite.sec | |
| format: "float" | |
| - name: "DRA Outbound Bytes Total Since Boot" | |
| field: ntds.dra.outbound.bytes.total.boot | |
| format: "float" | |
| - name: "DRA Outbound Bytes Total/sec" | |
| field: ntds.dra.outbound.bytes.total.sec | |
| format: "float" | |
| - name: "DRA Outbound Objects Filtered/sec" | |
| field: ntds.dra.outbound.objects.filtered.sec | |
| format: "float" | |
| - name: "DRA Outbound Objects/sec" | |
| field: ntds.dra.outbound.objects.sec | |
| format: "float" | |
| - name: "DRA Outbound Properties/sec" | |
| field: ntds.dra.outbound.prop.sec | |
| format: "float" | |
| - name: "DRA Outbound Values (DNs only)/sec" | |
| field: ntds.dra.outbound.values.dnonly.sec | |
| format: "float" | |
| - name: "DRA Outbound Values Total/sec" | |
| field: ntds.dra.outbound.values.total.sec | |
| format: "float" | |
| - name: "DRA Pending Replication Operations" | |
| field: ntds.dra.pending.outbound.repl.operations | |
| format: "float" | |
| - name: "DRA Pending Replication Synchronizations" | |
| field: ntds.dra.pending.outbound.repl.sync | |
| format: "float" | |
| - name: "DRA Sync Failures on Schema Mismatch" | |
| field: ntds.dra.sync.failures.schema.mismatch | |
| format: "float" | |
| - name: "DRA Sync Requests Made" | |
| field: ntds.dra.sync.requests.made | |
| format: "float" | |
| - name: "DRA Sync Requests Successful" | |
| field: ntds.dra.sync.requests.success | |
| format: "float" | |
| - name: "DRA Threads Getting NC Changes" | |
| field: ntds.dra.threads.nc.changes.all | |
| format: "float" | |
| - name: "DRA Threads Getting NC Changes Holding Semaphore" | |
| field: ntds.dra.threads.nc.changes.holding.semaphore | |
| format: "float" | |
| - name: "DS % Reads from DRA" | |
| field: ntds.ds.pct.reads.dra | |
| format: "float" | |
| - name: "DS % Reads from KCC" | |
| field: ntds.ds.pct.reads.kcc | |
| format: "float" | |
| - name: "DS % Reads from LSA" | |
| field: ntds.ds.pct.reads.lsa | |
| format: "float" | |
| - name: "DS % Reads from NSPI" | |
| field: ntds.ds.pct.reads.nspi | |
| format: "float" | |
| - name: "DS % Reads from NTDSAPI" | |
| field: ntds.ds.pct.reads.ntdsapi | |
| format: "float" | |
| - name: "DS % Reads from SAM" | |
| field: ntds.ds.pct.reads.sam | |
| format: "float" | |
| - name: "DS % Reads Other" | |
| field: ntds.ds.pct.reads.other | |
| format: "float" | |
| - name: "DS % Searches from DRA" | |
| field: ntds.ds.pct.searches.dra | |
| format: "float" | |
| - name: "DS % Searches from KCC" | |
| field: ntds.ds.pct.searches.kcc | |
| format: "float" | |
| - name: "DS % Searches from LSA" | |
| field: ntds.ds.pct.searches.lsa | |
| format: "float" | |
| - name: "DS % Searches from NSPI" | |
| field: ntds.ds.pct.searches.nspi | |
| format: "float" | |
| - name: "DS % Searches from NTDSAPI" | |
| field: ntds.ds.pct.searches.ntdsapi | |
| format: "float" | |
| - name: "DS % Searches from SAM" | |
| field: ntds.ds.pct.searches.sam | |
| format: "float" | |
| - name: "DS % Searches Other" | |
| field: ntds.ds.pct.searches.other | |
| format: "float" | |
| - name: "DS % Writes from DRA" | |
| field: ntds.ds.pct.writes.dra | |
| format: "float" | |
| - name: "DS % Writes from KCC" | |
| field: ntds.ds.pct.writes.kcc | |
| format: "float" | |
| - name: "DS % Writes from LSA" | |
| field: ntds.ds.pct.writes.lsa | |
| format: "float" | |
| - name: "DS % Writes from NSPI" | |
| field: ntds.ds.pct.writes.nspi | |
| format: "float" | |
| - name: "DS % Writes from NTDSAPI" | |
| field: ntds.ds.pct.writes.ntdsapi | |
| format: "float" | |
| - name: "DS % Writes from SAM" | |
| field: ntds.ds.pct.writes.sam | |
| format: "float" | |
| - name: "DS % Writes Other" | |
| field: ntds.ds.pct.writes.other | |
| format: "float" | |
| - name: "DS Client Binds/sec" | |
| field: ntds.ds.client.binds.sec | |
| format: "float" | |
| - name: "DS Client Name Translations/sec" | |
| field: ntds.ds.client.name.translations.sec | |
| format: "float" | |
| - name: "DS Directory Reads/sec" | |
| field: ntds.ds.directory.reads.sec | |
| format: "float" | |
| - name: "DS Directory Searches/sec" | |
| field: ntds.ds.directory.searches.sec | |
| format: "float" | |
| - name: "DS Directory Writes/sec" | |
| field: ntds.ds.directory.writes.sec | |
| format: "float" | |
| - name: "DS Monitor List Size" | |
| field: ntds.ds.mon.list.size | |
| format: "float" | |
| - name: "DS Name Cache hit rate" | |
| field: ntds.ds.name.cache.hit.rate | |
| format: "float" | |
| - name: "DS Notify Queue Size" | |
| field: ntds.ds.notify.queue.size | |
| format: "float" | |
| - name: "DS Search sub-operations/sec" | |
| field: ntds.ds.search.subop.sec | |
| format: "float" | |
| - name: "DS Security Descriptor Propagations Events" | |
| field: ntds.ds.security.desc.prop.events | |
| format: "float" | |
| - name: "DS Security Descriptor Propagator Average Exclusion Time" | |
| field: ntds.ds.security.desc.prop.ave.excl.time | |
| format: "float" | |
| - name: "DS Security Descriptor Propagator Runtime Queue" | |
| field: ntds.ds.security.desc.prop.runtime.queue | |
| format: "float" | |
| - name: "DS Security Descriptor sub-operations/sec" | |
| field: ntds.ds.security.desc.subop.sec | |
| format: "float" | |
| - name: "DS Server Binds/sec" | |
| field: ntds.ds.server.binds.sec | |
| format: "float" | |
| - name: "DS Server Name Translations/sec" | |
| field: ntds.ds.server.name.translations.sec | |
| format: "float" | |
| - name: "DS Threads in Use" | |
| field: ntds.ds.threads | |
| format: "float" | |
| - name: "External Binds/sec" | |
| field: ntds.external.binds.sec | |
| format: "float" | |
| - name: "Fast Binds/sec" | |
| field: ntds.fast.binds.sec | |
| format: "float" | |
| - name: "LDAP Active Threads" | |
| field: ntds.ldap.active.threads | |
| format: "float" | |
| - name: "LDAP Bind Time" | |
| field: ntds.ldap.bind.time | |
| format: "float" | |
| - name: "LDAP Client Sessions" | |
| field: ntds.ldap.client.sessions | |
| format: "float" | |
| - name: "LDAP Closed Connections/sec" | |
| field: ntds.ldap.closed.connections.sec | |
| format: "float" | |
| - name: "LDAP New Connections/sec" | |
| field: ntds.ldap.new.connections.sec | |
| format: "float" | |
| - name: "LDAP New SSL Connections/sec" | |
| field: ntds.ldap.new.ssl.connections.sec | |
| format: "float" | |
| - name: "LDAP Searches/sec" | |
| field: ntds.ldap.searches.sec | |
| format: "float" | |
| - name: "LDAP Successful Binds/sec" | |
| field: ntds.ldap.successful.binds.sec | |
| format: "float" | |
| - name: "LDAP UDP operations/sec" | |
| field: ntds.ldap.udp.operations.sec | |
| format: "float" | |
| - name: "LDAP Writes/sec" | |
| field: ntds.ldap.writes.sec | |
| format: "float" | |
| - name: "Link Values Cleaned/sec" | |
| field: ntds.link.values.cleaned.sec | |
| format: "float" | |
| - name: "Negotiated Binds/sec" | |
| field: ntds.negotiated.binds.sec | |
| format: "float" | |
| - name: "NTLM Binds/sec" | |
| field: ntds.ntlm.binds.sec | |
| format: "float" | |
| - name: "Onelevel searches/sec" | |
| field: ntds.onelevel.searches.sec | |
| format: "float" | |
| - name: "Phantoms Cleaned/sec" | |
| field: ntds.phantoms.cleaned.sec | |
| format: "float" | |
| - name: "Phantoms Visited/sec" | |
| field: ntds.phantoms.visited.sec | |
| format: "float" | |
| - name: "SAM Account Group Evaluation Latency" | |
| field: ntds.sam.acc.group.eval.latency | |
| format: "float" | |
| - name: "SAM Display Information Queries/sec" | |
| field: ntds.sam.display.info.queries.sec | |
| format: "float" | |
| - name: "SAM Domain Local Group Membership Evaluations/sec" | |
| field: ntds.sam.dl.membership.eval.sec | |
| format: "float" | |
| - name: "SAM Enumerations/sec" | |
| field: ntds.sam.enumerations.sec | |
| format: "float" | |
| - name: "SAM GC Evaluations/sec" | |
| field: ntds.sam.gc.eval.sec | |
| format: "float" | |
| - name: "SAM Global Group Membership Evaluations/sec" | |
| field: ntds.sam.gg.membership.eval.sec | |
| format: "float" | |
| - name: "SAM Machine Creation Attempts/sec" | |
| field: ntds.sam.machine.creation.attempts.sec | |
| format: "float" | |
| - name: "SAM Membership Changes/sec" | |
| field: ntds.sam.membership.changes.sec | |
| format: "float" | |
| - name: "SAM Non-Transitive Membership Evaluations/sec" | |
| field: ntds.sam.nontransitive.membership.eval.sec | |
| format: "float" | |
| - name: "SAM Password Changes/sec" | |
| field: ntds.sam.password.changes.sec | |
| format: "float" | |
| - name: "SAM Resource Group Evaluation Latency" | |
| field: ntds.sam.ress.group.eval.latency | |
| format: "float" | |
| - name: "SAM Successful Computer Creations/sec: Includes all requests" | |
| field: ntds.sam.success.computer.creation.sec | |
| format: "float" | |
| - name: "SAM Successful User Creations/sec" | |
| field: ntds.sam.success.user.creation.sec | |
| format: "float" | |
| - name: "SAM Transitive Membership Evaluations/sec" | |
| field: ntds.sam.transitive.membership.eval.sec | |
| format: "float" | |
| - name: "SAM Universal Group Membership Evaluations/sec" | |
| field: ntds.sam.ug.membership.eval.sec | |
| format: "float" | |
| - name: "SAM User Creation Attempts/sec" | |
| field: ntds.sam.user.creation.attempts.sec | |
| format: "float" | |
| - name: "Simple Binds/sec" | |
| field: ntds.simple.binds.sec | |
| format: "float" | |
| - name: "Subtree searches/sec" | |
| field: ntds.subtree.searches.sec | |
| format: "float" | |
| - name: "Tombstones Garbage Collected/sec" | |
| field: ntds.tombstones.garbage.col.sec | |
| format: "float" | |
| - name: "Tombstones Visited/sec" | |
| field: ntds.tombstones.visited.sec | |
| format: "float" | |
| - name: "Transitive operations milliseconds run" | |
| field: ntds.transitive.operations.ms.run | |
| format: "float" | |
| - name: "Transitive operations/sec" | |
| field: ntds.transitive.operations.sec | |
| format: "float" | |
| - name: "Transitive suboperations/sec" | |
| field: ntds.transitive.suboperations.sec | |
| format: "float" | |
| # DNS | |
| - object: "DNS" | |
| counters: | |
| - name: "Total Query Received" | |
| field: dns.total.query.received.all | |
| format: "float" | |
| - name: "Total Query Received/sec" | |
| field: dns.total.query.received.sec | |
| format: "float" | |
| - name: "Total Response Sent" | |
| field: dns.total.response.sent.all | |
| format: "float" | |
| - name: "Total Response Sent/sec" | |
| field: dns.total.response.sent.sec | |
| format: "float" | |
| # Other | |
| - object: "Server" | |
| counters: | |
| - name: "Server Sessions" | |
| field: server.server.sessions | |
| format: "float" | |
| - object: "Security System-Wide Statistics" | |
| counters: | |
| - name: "KDC AS Requests" | |
| field: security.system.wide.stats.kdc.as.requests | |
| format: "float" | |
| - name: "KDC TGS Requests" | |
| field: security.system.wide.stats.kdc.tgs.requests | |
| format: "float" | |
| - name: "Kerberos Authentications" | |
| field: security.system.wide.stats.kerberos.authentications | |
| format: "float" | |
| - name: "NTLM Authentications" | |
| field: security.system.wide.stats.ntlm.authentications | |
| format: "float" | |
| # NETLOGON | |
| - object: "Netlogon" | |
| instance: ["_Total"] | |
| counters: | |
| - name: "Average Semaphore Hold Time" | |
| field: netlogon.semaphore.avg.holdtime | |
| format: "float" | |
| - name: "Semaphore Timeouts" | |
| field: netlogon.semaphore.timeouts | |
| format: "float" | |
| - name: "Semaphore Acquires" | |
| field: netlogon.semaphore.acquires | |
| format: "float" | |
| - name: "Semaphore Holders" | |
| field: netlogon.semaphore.holders | |
| format: "float" | |
| - name: "Semaphore Waiters" | |
| field: netlogon.semaphore.waiters | |
| format: "float" |
New Updates with the New perfmon queries configuration.
"Old Way" is deprecated in 7.x and will be removed in 8.x
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
New update :
I had some troubles with 2 DNS counters (response/query per sec) and 1 AD Counter (DRA Threads Getting NC Changes Holding Semaphore).
These fields were in fact nested to another field ; which was causing trouble. I had ".all" value to the 'fake' parent fields to avoid trouble.