Network Packet Capture over Logstash

lduvnjak · October 13, 2023, 9:20am

Hi Everyone,

I've been having issues trying to use the Network Packet Capture (packetbeat) integration over Logstash.
Whenever the Logstash output is configured for fleet, it seems like the integration stops sending data. There are absolutely no logs of relevance either in Logstash or in the Elastic Agent logs, but absolutely no data from packetbeat is written to ES.

Upon switching the output back to ES, the data gets ingested normally. Here's my Logstash conf:

input {
  elastic_agent {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/logstash/certs/cert.crt"
    ssl_key => "/etc/logstash/certs/cert.key.pkcs8"
    ssl_verify_mode => "none"
    enrich => none
    type => "elastic-agent"
  }
}

output {
      elasticsearch {
        hosts => 'https://elk:9200'
        data_stream => true
        data_stream_auto_routing => "true"
        ssl => true
        cacert => "/etc/logstash/certs/ca.crt"
        user => "elastic"
        password => "pass"
        manage_template => false
        action => "create"
      }
}

I have about 10 other integrations that all work perfectly, so it's not an issue anywhere other than the NPC integration.

Does anyone know if perhaps Logstash is yet to be supported, or is this a bug?
My ELK version is 8.8.1, the integration version is 1.18.0.

Thanks in advance for any help!

Cheers,
Luka

lduvnjak · October 20, 2023, 8:32am

Replying in hopes of getting some traction.

Cheers,
Luka

leandrojmp · October 20, 2023, 12:55pm

While using Logstash all other integrations work, but just this NPC is not working?

It may be an issue with this integration as some integrations have issue when you have Logstash between Elastic Agent and Elasticsearch.

Did you change the default pipeline.ecs_compatibility in your logstash.yml or pipelines.yml? I had some issue related to it with one integration as if this is enabled logstash will add some metadata that can broke the ingest pipeline in Elasticsearch.

lduvnjak · October 24, 2023, 7:15am

Sorry for the late reply. The ecs compatability option was not changed. If it were an ingest pipeline error there should be 40x errors in the logstash logs afaik.

Maybe it's simply yet to be supported, or some settings need to be tweaked. However, I can't find that to be the case from the docs.

system · November 21, 2023, 7:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.