'ignore_outgoing' doesn't work for me


(Desert Rose) #1

I've uncommented "#ignore_outgoing: true" line in packetbeat.yml and restarted packetbeat, but I can still see new transactions created by the server where packetbeat installed.

Here are some fields of a transaction:
beat.name: mydomain.com
client_ip: 192.168.2.33
direction: out
ip: 192.168.2.44

mydomain.com and 192.168.2.33 are the same machine, where packetbeat installed.


(Steffen Siering) #2

where is the client installed? The option ignore_outgoing is supposed to be used with the application server. That is the server its name (event field 'server') and the publisher name (field 'beat.name') are compared.


(Desert Rose) #3

Thanks, steffens.

the 'server' filelds were all empty.
The above event was a request from '192.168.2.33' to '192.168.2.44', which should have been ignored, since packetbeat was installed on '192.168.2.33' and 'ignore_outgoing' is 'true'.
All events' 'direction' fields should be 'out', since I set 'ignore_outgoing:true' for all packetbeat instances, am I right?
Now I have to figure out why 'server' is empty, any suggestions?


(Monica Sarbu) #4

We are building a network topology map with all the Packetbeat instances. This information is stored in Elasticsearch and maps the IP and port of each Packetbeat instance to the name defined under shipper->name.

For each transaction, Packetbeat queries Elasticsearch to see if the network topology map includes the IP and port of the source and destination servers. If this information is available, the client_server field in the output is set to the name of the Packetbeat running on the source server, and the server field is set to the name of the Packetbeat running on the destination server.

By default topology map feature is disabled, so the client_server and server fields are empty.
Because server is empty, then ignore_outgoing doesn't work as it compares the name of the server field with the local Packetbeat name.
Thank you for noticing it. I will fix it right away.


(system) #5