Found Duplicated HTTP Events in Kubernetes Cluster

We're using Packetbeat to capture http traffic in Kubernetes Cluster. We've observed that there are duplicated http events even set ignore_outgoing to true.

Example as blow:

  • same network.community_id, source.ip, source.port, destination.ip, destination.port
  • the difference between these two event is agent.hostname, hostname and
  • the actually event is the one with kubernetes.pod.uid attached

My question is if there's any sort of method to avoid duplicated events?

the configuration:

packetbeat.interfaces.device: any
packetbeat.interfaces.type: af_packet

packetbeat.ignore_outgoing: true

- type: http
  enable: true
  send_all_headers: true
  split_cookie: true
  include_body_for: ["application/json", "application/x-www-form-urlencoded"]

  timeout: 30s
  period: 10s

  - add_cloud_metadata:
  - add_kubernetes_metadata:
      host: ${NODE_NAME}
      - ip_port:
      - field_format:
          format: '%{[server.ip]}:%{[server.port]}'

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.