Hello, hope everyone is in good health.
We want to monitor the amount of data (gb's) which are being send to a https endpoint from our logstash servers. To do so we installed packetbeat with the attached configuration.
Usually this would be a case of searching for all traffic on TLS to the ipaddresses of the endpoint, however these are relatively dynamic as it's a AWS loadbalancer. The challenge which we face is some of the events logged contain a destination.domain with the endpoint, where as the ones with byte fields do not but do contain the IP addresses.
Does anyone have any experience/solutions/pointers how we could monitor this traffic properly?
packetbeat.yaml
#============================== Network device ================================
packetbeat:
interfaces:
device: any
#================================== Flows =====================================
packetbeat.flows:
# Enable Network flows. Default: true
#enabled: true
# Set network flow timeout. Flow is killed if no packet is received before being
# timed out.
timeout: 30s
# Configure reporting period. If set to -1, only killed flows will be reported
period: 10s
# Set to true to publish fields with null values in events.
#keep_null: false
#========================== Transaction protocols =============================
packetbeat.protocols:
- type: http
enabled: true
ports: [80]
tags: ["elk", "logstash"]
- type: tls
enabled: true
ports: [443]
tags: ["elk", "logstash"]
#================================ Processors ===================================