I am using packetbeat for http and mysql, these services are running inside a virtual machine. "client_server" and "server" fields are coming empty in output events. Can anyone suggest what might be the cause or any configuration to change?
How do you run Packetbeat? Inside the same VM? Or sniffing on the virtual switch from the host? Also, do you use the Logstash output or directly Elasticsearch?
For the client_server
and server
to work, you need to enable the save_topology option from the Elasticsearch output.
I am running packetbeat inside VM, and I am using logstash as output. I dont see save_topology for logstash output, is there any other alternate way for logstash outpu?
Also one more interesting point, can we sniff on virtual switch from host? If so please help me how to do that. Thanks a ton!!