Flows detected on port 6379, but no Redis Protocol logs generated?

Bobby · August 14, 2017, 5:50pm

I'm not seeing Redis Protocol logs, but I am seeing flows to and from the Redis port. Why would that the case?

I have the Redis Protocol enabled in my packetbeat.yml file:

packetbeat.protocols.redis:
# Configure the ports where to listen for Redis traffic. You can disable
# the Redis protocol by commenting out the list of ports.
ports: [6379]

But I am not getting any Redis protocol logs. The same packetbeat instance is, however, reporting flows coming to and from that port. The following two search strings in kibana are returning results:

@metadata.beat: "packetbeat" AND type: "flow" AND dest.port: 6379 AND final: true

@metadata.beat: "packetbeat" AND type: "flow" AND packetbeatSource.port: 6379 AND final: true

Is there a reason I'd be seeing flows to and from that port, without seeing corresponding redis protocol logs?

Bobby · August 14, 2017, 5:54pm

Oh, I forgot to mention I have a filter applied. dest.port and packetbeatSource.port map to packetbeat's default dest object's port property, and the source object's port property, respectively.

andrewkroh · August 15, 2017, 8:50pm

I suggest that you turn on debug logging in Packetbeat for redis and see if that turns up any new information.

logging.level: debug
logging.selectors: [redis]

system · September 12, 2017, 8:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.