Huge packets sent from filebeat to ES

hjazz6 · October 19, 2023, 2:34am

Hi all,

I'm using the netflow module on filebeat v8.8.0 to send netflow traffic to ES. The incoming netflow packets are all about 5KB to 6KB. When I did a tcpdump on the interface that is sending the netflow data to ES, I noticed that a lot of the outgoing packets are 64KB.

Is this normal? Is there some sort of data buffering before sending it out to ES to result in the large packets?

I did have the following settings in my filebeat config:

queue.mem.events: 64000
queue.mem.flush.min_events: 4000
output.elasticsearch.bulk_max_size: 4000

and in the netflow.yml:

queue_size: 64000

I'm currently trying to improve the ingest rate and reduce the packet drop reported by filebeat, hence, I'm wondering if there might be any bottleneck in the network.

Thank you.

sholzhauer · October 19, 2023, 11:49am

Yes, filebeat "collects" events to bulk ingest them. There is some compression etc.
Ingests tend to use the bulk api's to improve throughput.

system · November 16, 2023, 1:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dropped Netflow packets in filebeat Beats filebeat	2	793	November 3, 2021
Netflow gaps between filebeat and elasticsearch Beats filebeat	1	359	April 15, 2020
Performanceissue with Filebeat and Netflow Input Beats beats-module , filebeat	7	1915	November 3, 2021
Filebeat netflow events per second - losing data? Beats	2	1020	September 5, 2019
Increasing queue size Beats filebeat	1	469	February 14, 2022

Huge packets sent from filebeat to ES

Related topics