How can we moniter MySql port 3306 and Postgresql port 5432 in windows

Elastic Stack Beats
1

Dears

I wanted to get monitor from MySQL(3306) or PostgreSQL(5432) in windows 10 os
I have created inbound and outbound about 3306 and 5432 ports

I set configuration in packetbeat.yml like
packetbeat.interfaces.device: 0

packetbeat.protocols.http:
ports: [80, 8080, 8000, 5000, 8002, 8099]

packetbeat.protocols.mysql:
ports: [3306]

packetbeat.protocols.pgsql:
ports: [5432]

output.elasticsearch:
hosts: ["127.0.0.1:9200"]

I have installed Npcap also

After start ElasticSearch, Kibana and PacketBeat, I couldn"t receive packets from 3306 and 5432 ports, the same I can able to get packets from 8099(Tomcat)

Is there any thing need to set for windows?

Thanks & Regards,
Nagarajan.H

2

Windows doesn't really support localhost capturing. This ticket recommends npcap.

3

Are you sure you are listening on the correct device? You can list the devices with .\packetbeat.exe -devices.

4

if we put .\packetbeat.exe -devices command means

0: \Device\NPF_{5BC8D54F-F098-49C3-8D2D-969E839DFA8E} (Intel(R) Ethernet Connection I219-V) (fe80::79b6:7ad7:e5c6:9de9
192.168.2.120)
1: \Device\NPF_{11FF37BF-069C-481D-8EEE-1E1FB9BD69F6} (Microsoft) (fe80::dfa:60ab:c73d:87c7 2408:210:28ec:b800:24d7:cd
1e:56aa:e45d 2408:210:28ec:b800:dfa:60ab:c73d:87c7 192.168.2.100)

is coming in powershell command prompt

I have set
packetbeat.interfaces.device: 0

6

Thank You Very Much For The Information

7

Dear

I did based on

so that I can able to get

PS C:\Program Files\Packetbeat> .\packetbeat.exe -devices
0: \Device\NPF_{5BC8D54F-F098-49C3-8D2D-969E839DFA8E} (Intel(R) Ethernet Connection I219-V) (fe80::79b6:7ad7:e5c6:9de9
192.168.2.120)
1: \Device\NPF_{11FF37BF-069C-481D-8EEE-1E1FB9BD69F6} (Microsoft) (fe80::dfa:60ab:c73d:87c7 2408:210:28ec:b800:ac86:cc
08:6354:2d1f 2408:210:28ec:b800:dfa:60ab:c73d:87c7 192.168.2.100)
2: \Device\NPF_{AA15BD21-3348-460A-8081-023207EABD27} (MS NDIS 6.0 LoopBack Driver) (fe80::f180:c469:a35a:4b9e 0.0.0.0
)

in powershell command prompt, and I configured as 2 in packetbeat.yml file too

if we are execute the sql query from MySQL means, Wireshark receiving the packets

image.png1094×596 24.1 KB

the same I couldn"t get any packets in kibana

what can I do as settings

Thanks & Regards,
Nagarajan.H

8

If the traffic is coming in on the loopback device then using the device number 2 should get you the mysql traffic.

Please repost your latest config file. Use the </> button to get it formatted.

You could enable debug logging and see if there is anything interesting in the logs. Add logging.level: debug to your config.

9

For mysql I would also look out for flows being reported on this port. The mysql analyzer does not support all MYSQL transaction types. If flows are present, but mysql transactions are missing, it's likely due to unsupported transaction types. The analyzer will also print a message when debug is enabled.

10

Hi, now i am using
packetbeat.interfaces.device: 2
ports: [80, 8080, 8000, 5000, 8002, 8099]
ports: [3306]
ports: [5432]
logging.level: debug

only, even though I couldn't receive any 3306 and 5432 ports logs

11

The same I tried in PostgreSQL also, can you tell some of supported transaction by packetbeat , I have tried with insert data and retriew data from MySQL/PostgreSQL

12

simple SELECT and INSERT statements should work fine with MySQL and PostgreSQL. Enabling/using the flows feature gives you an idea if any packets have been processed for these ports.

Which IPs do your services have? Which IPs do your network interfaces have?

13

I am developing in local system which connected in internet

14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.