I've uncommented "#ignore_outgoing: true" line in packetbeat.yml and restarted packetbeat, but I can still see new transactions created by the server where packetbeat installed.
Here are some fields of a transaction:
mydomain.com and 192.168.2.33 are the same machine, where packetbeat installed.
where is the client installed? The option ignore_outgoing is supposed to be used with the application server. That is the server its name (event field 'server') and the publisher name (field 'beat.name') are compared.
the 'server' filelds were all empty.
The above event was a request from '192.168.2.33' to '192.168.2.44', which should have been ignored, since packetbeat was installed on '192.168.2.33' and 'ignore_outgoing' is 'true'.
All events' 'direction' fields should be 'out', since I set 'ignore_outgoing:true' for all packetbeat instances, am I right?
Now I have to figure out why 'server' is empty, any suggestions?
We are building a network topology map with all the Packetbeat instances. This information is stored in Elasticsearch and maps the IP and port of each Packetbeat instance to the name defined under
For each transaction, Packetbeat queries Elasticsearch to see if the network topology map includes the IP and port of the source and destination servers. If this information is available, the
client_server field in the output is set to the name of the Packetbeat running on the source server, and the
server field is set to the name of the Packetbeat running on the destination server.
By default topology map feature is disabled, so the
server fields are empty.
server is empty, then
ignore_outgoing doesn't work as it compares the name of the
server field with the local Packetbeat name.
Thank you for noticing it. I will fix it right away.