Network Packet Capture over Logstash

lduvnjak · October 13, 2023, 9:20am

Hi Everyone,

I've been having issues trying to use the Network Packet Capture (packetbeat) integration over Logstash.
Whenever the Logstash output is configured for fleet, it seems like the integration stops sending data. There are absolutely no logs of relevance either in Logstash or in the Elastic Agent logs, but absolutely no data from packetbeat is written to ES.

Upon switching the output back to ES, the data gets ingested normally. Here's my Logstash conf:

input {
  elastic_agent {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/logstash/certs/cert.crt"
    ssl_key => "/etc/logstash/certs/cert.key.pkcs8"
    ssl_verify_mode => "none"
    enrich => none
    type => "elastic-agent"
  }
}

output {
      elasticsearch {
        hosts => 'https://elk:9200'
        data_stream => true
        data_stream_auto_routing => "true"
        ssl => true
        cacert => "/etc/logstash/certs/ca.crt"
        user => "elastic"
        password => "pass"
        manage_template => false
        action => "create"
      }
}

I have about 10 other integrations that all work perfectly, so it's not an issue anywhere other than the NPC integration.

Does anyone know if perhaps Logstash is yet to be supported, or is this a bug?
My ELK version is 8.8.1, the integration version is 1.18.0.

Thanks in advance for any help!

Cheers,
Luka

lduvnjak · October 20, 2023, 8:32am

Replying in hopes of getting some traction.

Cheers,
Luka

leandrojmp · October 20, 2023, 12:55pm

While using Logstash all other integrations work, but just this NPC is not working?

It may be an issue with this integration as some integrations have issue when you have Logstash between Elastic Agent and Elasticsearch.

Did you change the default pipeline.ecs_compatibility in your logstash.yml or pipelines.yml? I had some issue related to it with one integration as if this is enabled logstash will add some metadata that can broke the ingest pipeline in Elasticsearch.

lduvnjak · October 24, 2023, 7:15am

Sorry for the late reply. The ecs compatability option was not changed. If it were an ingest pipeline error there should be 40x errors in the logstash logs afaik.

Maybe it's simply yet to be supported, or some settings need to be tweaked. However, I can't find that to be the case from the docs.

system · November 21, 2023, 7:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Packetbeat not sending to Logstash after Elastic-Agent uninstall Beats packetbeat	3	604	June 14, 2022
No incoming data to Logstash Output from Elastic Agents - Only Elasticsearch ouptut works Elasticsearch fleet	6	656	May 28, 2023
Logstash output not working and not throwing an error Beats packetbeat	3	439	October 27, 2020
Packetbeat not sending logs to Logstash Beats packetbeat	17	1148	July 31, 2022
Fleet Agent: Logstash output: Invalid version of beats protocol Beats fleet	12	3033	October 17, 2022

Network Packet Capture over Logstash

Related topics