Hi
I have a Fleet of Elastic Agents running on a fresh k8s cluster (running ECK 8.5.0). I added Custom UDP log integration (default namespace ,Listen port 9512 and Listen address 0.0.0.0,Dataset name: udp.generic) via Kibana but nothing shows up in Logs related to UDP)
lab@master:~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready control-plane 2d15h v1.25.4
worker1 Ready <none> 2d15h v1.25.4
worker2 Ready <none> 2d15h v1.25.4
lab@master:~$ kubectl get pods
NAME READY STATUS RESTARTS AGE
elastic-agent-quickstart-agent-4x4c4 1/1 Running 1 (2d15h ago) 2d15h
elastic-agent-quickstart-agent-qcqxb 1/1 Running 0 2d15h
elastic-agent-quickstart-agent-zzjgc 1/1 Running 0 2d15h
elasticsearch-quickstart-es-default-0 1/1 Running 0 2d15h
fleet-server-quickstart-agent-559586c896-glcds 1/1 Running 0 2d15h
kibana-quickstart-kb-775cb74f6d-7xhpj 1/1 Running 0 2d15h
kibana-quickstart-kb-775cb74f6d-g8s6p 1/1 Running 0 2d15h
kibana-quickstart-kb-775cb74f6d-prsft 1/1 Running 0 2d15h
lab@master:~$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch-quickstart-es-default ClusterIP None <none> 9200/TCP 2d15h
elasticsearch-quickstart-es-http ClusterIP 10.108.37.239 <none> 9200/TCP 2d15h
elasticsearch-quickstart-es-internal-http ClusterIP 10.111.29.125 <none> 9200/TCP 2d15h
elasticsearch-quickstart-es-transport ClusterIP None <none> 9300/TCP 2d15h
fleet-server-quickstart-agent-http ClusterIP 10.106.49.142 <none> 8220/TCP 2d15h
kibana-quickstart-kb-http ClusterIP 10.107.172.205 <none> 5601/TCP 2d15h
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2d15h
UDP traffic is coming in the master server as see below
lab@master:~$ sudo tcpdump -i eth0 port 9512 -v -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:17:54.957485 IP (tos 0x0, ttl 64, id 57405, offset 0, flags [none], proto **UDP** (17), length 82)
10.54.13.224.514 > 10.54.18.16.9512: **9512**, length: 54
Facility local7 (23), Severity info (6)
Msg: Nov 14 02:17:36 CE1 last message repeated 5 times
10:17:54.957485 IP (tos 0x0, ttl 64, id 57406, offset 0, flags [none], proto UDP (17), length 154)
10.54.13.224.514 > 10.54.18.16.9512: **9512**, length: 126
Facility local7 (23), Severity info (6)
Msg: Nov 14 02:17:52 CE1 mgd[68478]: %INTERACT-6-UI_CMDLINE_READ_LINE: User 'psagrera', command 'show pfe statistics traffic '
[....]
Looking on the logs from one of the PODs, I see only that :
root@elastic-agent-quickstart-agent-zzjgc:/usr/share/elastic-agent# cat /usr/share/elastic-agent/state/data/logs/default/filebeat-20221114-4.ndjson
{"log.level":"info","@timestamp":"2022-11-14T09:40:57.820Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":186},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":11880,"time":{"ms":40}},"total":{"ticks":36160,"time":{"ms":100},"value":36160},"user":{"ticks":24280,"time":{"ms":60}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":17},"info":{"ephemeral_id":"5ed109d9-4d7c-4ca8-b1ce-b207143bd8eb","uptime":{"ms":10956697},"version":"8.5.0"},"memstats":{"gc_next":20487144,"memory_alloc":15909752,"memory_total":813465336,"rss":124211200},"runtime":{"goroutines":71}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.79,"15":0.32,"5":0.46,"norm":{"1":0.0988,"15":0.04,"5":0.0575}}}},"ecs.version":"1.6.0"}}
I'm not able of seeing / finding nor indexes neither dataset related to UDP
I'm new on that topic so perhaps I'm doing something wrong here ...
Thanks in advance