Found Duplicated HTTP Events in Kubernetes Cluster

CoolDarran · December 24, 2019, 3:57am

Hi,
We're using Packetbeat to capture http traffic in Kubernetes Cluster. We've observed that there are duplicated http events even set ignore_outgoing to true.

Example as blow:

same network.community_id, source.ip, source.port, destination.ip, destination.port
the difference between these two event is agent.hostname, hostname and node.name
the actually event is the one with kubernetes.pod.uid attached

My question is if there's any sort of method to avoid duplicated events?

CoolDarran · December 24, 2019, 4:04am

the configuration:

packetbeat.interfaces.device: any
packetbeat.interfaces.type: af_packet

packetbeat.ignore_outgoing: true

packetbeat.protocols:
- type: http
  enable: true
  send_all_headers: true
  split_cookie: true
  include_body_for: ["application/json", "application/x-www-form-urlencoded"]

packetbeat.flows:
  timeout: 30s
  period: 10s

processors:
  - add_cloud_metadata:
  - add_kubernetes_metadata:
      host: ${NODE_NAME}
      indexers:
      - ip_port:
      matchers:
      - field_format:
          format: '%{[server.ip]}:%{[server.port]}'

system · January 21, 2020, 4:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Packetbeat duplicated HTTP events in Kubernetes Cluster Beats packetbeat	5	751	September 26, 2020
Is it good practice to exclude Packetbeat traffic? Beats packetbeat	4	949	April 15, 2017
Packetbeat- Duplicated flow records even intermediate report is disabled Beats packetbeat	1	393	November 3, 2020
Packetbeat Flows and Kubernetes not working fine Beats packetbeat	2	741	October 29, 2018
Filebeat used for k8s autodiscovery and file logs sending duplicated events Beats filebeat	4	562	June 2, 2020

Found Duplicated HTTP Events in Kubernetes Cluster

Related Topics