I install packetbeat in the VM which install elastic stack. When I try to use Security - Explore - Network in Kibana, I find that the traffice Bytes account is much more than real network traffice.
Then I try to check logs in Discover. I find for each source.port there is a log and there is a bytes_in and bytes_out. I don't know if "Security - Explore - Network" add all the bytes_in or bytes_out in each line of the log so make the value so large?
The Source and Destination table on the Network page does a sum aggregation on destination.bytes or source.bytes to calculate "Byten in" and "Bytes out". So it adds destination.bytes or source.bytes in each log line to calculate the total value.
I simplified the query (for a fixed time range), making it easier to read and understand how the data is calculated.
Thanks for your feedback. I know why the Bytes_in and Bytes_out in Security - Explore- Network is so large now.
But I think the result in Security - Explore- Network is not true. Will Elastic change the way to count the "Byte In" and "Byte Out"? I think it's not good to do a sum aggregation on destination.bytes or source.bytes to calculate "Byten in" and "Bytes out"
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
