Packet Beat not sending any data

Mhodge13 · November 6, 2019, 10:22pm

Hi,

Started noticing issues today with packet beat not sending any data to our elasticsearch SIEM. I started debug logging and found this constantly happening.

2019-11-06T16:15:10.000-0600	DEBUG	[flows]	flows/worker.go:121	worker tick, nTimeout=2, nPeriod=0
2019-11-06T16:15:10.000-0600	DEBUG	[flows]	flows/worker.go:143	exec tick, timeout=false, report=true
2019-11-06T16:15:10.071-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:10.571-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:11.071-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:11.571-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:12.072-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:12.573-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:13.088-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:13.590-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted
2019-11-06T16:15:14.105-0600	DEBUG	[sniffer]	sniffer/sniffer.go:185	Interrupted

Including config file blow:
#============================== Network device ================================

Select the network interface to sniff the data. On Linux, you can use the

"any" keyword to sniff on all connected interfaces.

packetbeat.interfaces.device: 0

#================================== Flows =====================================

Set `enabled: false` or comment out all options to disable flows reporting.

packetbeat.flows:

Set network flow timeout. Flow is killed if no packet is received before being

timed out.

timeout: 30s

enabled: true

Configure reporting period. If set to -1, only killed flows will be reported

period: 10s

#========================== Transaction protocols =============================

packetbeat.protocols:

type: icmp

Enable ICMPv4 and ICMPv6 monitoring. Default: false

enabled: true
type: amqp

Configure the ports where to listen for AMQP traffic. You can disable

the AMQP protocol by commenting out the list of ports.

ports: [5672]
type: cassandra
#Cassandra port for traffic monitoring.
ports: [9042]
type: dhcpv4

Configure the DHCP for IPv4 ports.

ports: [67, 68]
type: dns

Configure the ports where to listen for DNS traffic. You can disable

the DNS protocol by commenting out the list of ports.

ports: [53]
type: http

Configure the ports where to listen for HTTP traffic. You can disable

the HTTP protocol by commenting out the list of ports.

ports: [80, 8080, 8000, 5000, 8002]
type: memcache

Configure the ports where to listen for memcache traffic. You can disable

the Memcache protocol by commenting out the list of ports.

ports: [11211]
type: mysql

Configure the ports where to listen for MySQL traffic. You can disable

the MySQL protocol by commenting out the list of ports.

ports: [3306,3307]
type: pgsql

Configure the ports where to listen for Pgsql traffic. You can disable

the Pgsql protocol by commenting out the list of ports.

ports: [5432]
type: redis

Configure the ports where to listen for Redis traffic. You can disable

the Redis protocol by commenting out the list of ports.

ports: [6379]
type: thrift

Configure the ports where to listen for Thrift-RPC traffic. You can disable

the Thrift-RPC protocol by commenting out the list of ports.

ports: [9090]
type: mongodb

Configure the ports where to listen for MongoDB traffic. You can disable

the MongoDB protocol by commenting out the list of ports.

ports: [27017]
type: nfs

Configure the ports where to listen for NFS traffic. You can disable

the NFS protocol by commenting out the list of ports.

ports: [2049]
type: tls

Configure the ports where to listen for TLS traffic. You can disable

the TLS protocol by commenting out the list of ports.

ports:
- 443 # HTTPS
- 993 # IMAPS
- 995 # POP3S
- 5223 # XMPP over SSL
- 8443
- 8883 # Secure MQTT
- 9243 # Elasticsearch

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

#================================ Logging =====================================

Sets log level. The default log level is info.

Available log levels are: error, warning, info, debug

logging.to_files: true
logging.level: debug

logging.files:
path: C:\Program Files\packetbeat\Logs
name: packetbeat
keepfiles: 7
permissions: 0644

SRS1 · November 19, 2019, 10:16am

I have two packetbeats running im my system, and one of them are seeing this issue. (The other one works well)

The only difference is that logstash is located on the localhost on one of them, the other one is remote.

SRS1 · November 19, 2019, 10:24am

And my stupidity is confirmed!

Use the packetbeat.exe device - and change the number accordingly! (....as stated in the user guide)

Mhodge13 · November 19, 2019, 11:39am

I'll give this a shot.

system · December 17, 2019, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Packetbeat is not sending data to elasticsearch Beats packetbeat	2	975	March 9, 2021
Packet Beat does not send any data to elastic search Beats packetbeat	3	818	January 26, 2021
Exiting: data path already locked by another beat (packetbeat) Beats packetbeat	5	5100	July 23, 2020
geoIP enrichment stops ES from receiving data from packetbeat Beats packetbeat	5	760	February 13, 2020
PacketBeat timestamp Beats packetbeat	8	1670	June 6, 2017

Packet Beat not sending any data

Select the network interface to sniff the data. On Linux, you can use the

"any" keyword to sniff on all connected interfaces.

Set enabled: false or comment out all options to disable flows reporting.

Set network flow timeout. Flow is killed if no packet is received before being

timed out.

Configure reporting period. If set to -1, only killed flows will be reported

Enable ICMPv4 and ICMPv6 monitoring. Default: false

Configure the ports where to listen for AMQP traffic. You can disable

the AMQP protocol by commenting out the list of ports.

Configure the DHCP for IPv4 ports.

Configure the ports where to listen for DNS traffic. You can disable

the DNS protocol by commenting out the list of ports.

Configure the ports where to listen for HTTP traffic. You can disable

the HTTP protocol by commenting out the list of ports.

Configure the ports where to listen for memcache traffic. You can disable

the Memcache protocol by commenting out the list of ports.

Configure the ports where to listen for MySQL traffic. You can disable

the MySQL protocol by commenting out the list of ports.

Configure the ports where to listen for Pgsql traffic. You can disable

the Pgsql protocol by commenting out the list of ports.

Configure the ports where to listen for Redis traffic. You can disable

the Redis protocol by commenting out the list of ports.

Configure the ports where to listen for Thrift-RPC traffic. You can disable

the Thrift-RPC protocol by commenting out the list of ports.

Configure the ports where to listen for MongoDB traffic. You can disable

the MongoDB protocol by commenting out the list of ports.

Configure the ports where to listen for NFS traffic. You can disable

the NFS protocol by commenting out the list of ports.

Configure the ports where to listen for TLS traffic. You can disable

the TLS protocol by commenting out the list of ports.

Sets log level. The default log level is info.

Available log levels are: error, warning, info, debug

Related Topics

Set `enabled: false` or comment out all options to disable flows reporting.