Is Network Traffic (Fleet Integration) the new Packetbeat? - Missing Netfow?

Hi Guys,

I noticed that the integration didn't create the indices for network flow. Is this a bug or missed configuration?


Screen Shot 2021-10-01 at 1.01.20 AM

{"type":"security_exception","reason":"action [indices:admin/auto_create] is unauthorized for API key id [y_XFOHwBVDdS0yUQQK5L] of user [elastic/fleet-server] on indices [logs-network_traffic.flow-default-2021.09.30], this action is granted by the index privileges [auto_configure,create_index,manage,all]"}, dropping event

I saw a similar permissions issue in No Elastic Security Events but Agents status is "green" - #2 by andrewkroh. With that issue, recreating the policy for that agent cleared up the problem.

Hi @zx8086 First we are not all guys :slight_smile:

I repeated this as well ...

Curious...Where did you pull that error log line from was?

Can you provide your elastic stack version / agent version method of install OS for elastic and where you deployed the agent to?

Curious...Where did you pull that error log line from was?

Can you provide your elastic stack version / agent version method of install OS for elastic and where you deployed the agent to?

7.15
Network Traffic from Elastic-Agent Integration
From Observability Logs affecting all host Debian (RPi4) and Darwin (Mac OSX 10.13) deployed by Debian Buster 10 node

Thanks

Ok I guess I meant was that an Elastic Agent log, Kibana log or Elasticsearch log message, no worries we will take a look.

EDIT that is a log message from the agent... we are looking.

@stephenb @andrewkroh

From index .ds-logs-network_traffic.dns-default-2021.09.30-000001

Also with Network Traffic...

TLS (when Enabled)

{"type":"mapper_parsing_exception","reason":"failed to parse field [tls.detailed.server_certificate_chain] of type [keyword] ... "caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:3620"}}, dropping event!

Not sure how Fleet Managed integrations have mapping issues for default ingestion / pipeline setups.

I think I found the problem with logs-network_traffic.flow and have opened a fix.

2 Likes