Found Duplicated HTTP Events in Kubernetes Cluster

CoolDarran · December 24, 2019, 3:57am

Hi,
We're using Packetbeat to capture http traffic in Kubernetes Cluster. We've observed that there are duplicated http events even set ignore_outgoing to true.

Example as blow:

same network.community_id, source.ip, source.port, destination.ip, destination.port
the difference between these two event is agent.hostname, hostname and node.name
the actually event is the one with kubernetes.pod.uid attached

My question is if there's any sort of method to avoid duplicated events?

CoolDarran · December 24, 2019, 4:04am

the configuration:

packetbeat.interfaces.device: any
packetbeat.interfaces.type: af_packet

packetbeat.ignore_outgoing: true

packetbeat.protocols:
- type: http
  enable: true
  send_all_headers: true
  split_cookie: true
  include_body_for: ["application/json", "application/x-www-form-urlencoded"]

packetbeat.flows:
  timeout: 30s
  period: 10s

processors:
  - add_cloud_metadata:
  - add_kubernetes_metadata:
      host: ${NODE_NAME}
      indexers:
      - ip_port:
      matchers:
      - field_format:
          format: '%{[server.ip]}:%{[server.port]}'

Topic		Replies	Views
Packetbeat duplicated HTTP events in Kubernetes Cluster Beats packetbeat	4	797	August 28, 2020
Kubernetes Events MetricBeat filter duplicate entries Beats metricbeat	5	1099	March 24, 2021
Packetbeat Flows and Kubernetes not working fine Beats packetbeat	1	771	October 1, 2018
Duplicated Kubernetes Events Beats metricbeat	3	1152	April 24, 2019
Packetbeat on Kubernetes Beats	1	1276	March 10, 2016

Found Duplicated HTTP Events in Kubernetes Cluster

Related topics