I try to use Packetbeat for network monitoring.
If I use Packetbeat with pcap, I get network traffic successfully
but some packets dropped. When I check the logs I see "Fail to parse HTTP parameters"
If I add af_packet instead of pcap, the logs do not show any errors.
but I start debug logging, I see that:
2020-02-12T09:35:08.778+0300 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2020-02-12T09:35:09.278+0300 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
And I cannot see trafic. How can I resolve this?
I aim to minimize packet loss.
Here is my config:
setup.template.name: "packetbeat"
setup.template.pattern: "packetbeat-*"
packetbeat.interfaces.device: ens224
packetbeat.interfaces.type: af_packet
packetbeat.interfaces.buffer_size_mb: 2048
packetbeat.interfaces.ignore_outgoing: true
packetbeat.interfaces.snaplen: 1514
packetbeat.interfaces.with_vlans: true
packetbeat.protocols:
- type: http
ports: [9000]
hide_keywords: ["pass", "password", "passwd"]
send_headers: ["User-Agent", "Cookie", "Set-Cookie"]
send_all_headers: true
split_cookie: true
real_ip_header: "X-Forwarded-For"
send_request: true
send_response: true
include_body_for: ["text/html", "application/json"]
decode_body: true
output.elasticsearch:
hosts: ["http://127.0.0.1:9200"]
index: "packetbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/packetbeat
name: packetbeat.log
keepfiles: 7
permissions: 0644