Packet Beat not sending any data

Elastic Stack Beats
1

Hi,

Started noticing issues today with packet beat not sending any data to our elasticsearch SIEM. I started debug logging and found this constantly happening.

2019-11-06T16:15:10.000-0600 DEBUG [flows] flows/worker.go:121 worker tick, nTimeout=2, nPeriod=0
2019-11-06T16:15:10.000-0600 DEBUG [flows] flows/worker.go:143 exec tick, timeout=false, report=true
2019-11-06T16:15:10.071-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:10.571-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:11.071-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:11.571-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:12.072-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:12.573-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:13.088-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:13.590-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted
2019-11-06T16:15:14.105-0600 DEBUG [sniffer] sniffer/sniffer.go:185 Interrupted

Including config file blow:
#============================== Network device ================================

Select the network interface to sniff the data. On Linux, you can use the

"any" keyword to sniff on all connected interfaces.

packetbeat.interfaces.device: 0

#================================== Flows =====================================

Set enabled: false or comment out all options to disable flows reporting.

packetbeat.flows:

Set network flow timeout. Flow is killed if no packet is received before being

timed out.

timeout: 30s

enabled: true

Configure reporting period. If set to -1, only killed flows will be reported

period: 10s

#========================== Transaction protocols =============================

packetbeat.protocols:

  • type: icmp

    Enable ICMPv4 and ICMPv6 monitoring. Default: false

    enabled: true

  • type: amqp

    Configure the ports where to listen for AMQP traffic. You can disable

    the AMQP protocol by commenting out the list of ports.

    ports: [5672]

  • type: cassandra
    #Cassandra port for traffic monitoring.
    ports: [9042]

  • type: dhcpv4

    Configure the DHCP for IPv4 ports.

    ports: [67, 68]

  • type: dns

    Configure the ports where to listen for DNS traffic. You can disable

    the DNS protocol by commenting out the list of ports.

    ports: [53]

  • type: http

    Configure the ports where to listen for HTTP traffic. You can disable

    the HTTP protocol by commenting out the list of ports.

    ports: [80, 8080, 8000, 5000, 8002]

  • type: memcache

    Configure the ports where to listen for memcache traffic. You can disable

    the Memcache protocol by commenting out the list of ports.

    ports: [11211]

  • type: mysql

    Configure the ports where to listen for MySQL traffic. You can disable

    the MySQL protocol by commenting out the list of ports.

    ports: [3306,3307]

  • type: pgsql

    Configure the ports where to listen for Pgsql traffic. You can disable

    the Pgsql protocol by commenting out the list of ports.

    ports: [5432]

  • type: redis

    Configure the ports where to listen for Redis traffic. You can disable

    the Redis protocol by commenting out the list of ports.

    ports: [6379]

  • type: thrift

    Configure the ports where to listen for Thrift-RPC traffic. You can disable

    the Thrift-RPC protocol by commenting out the list of ports.

    ports: [9090]

  • type: mongodb

    Configure the ports where to listen for MongoDB traffic. You can disable

    the MongoDB protocol by commenting out the list of ports.

    ports: [27017]

  • type: nfs

    Configure the ports where to listen for NFS traffic. You can disable

    the NFS protocol by commenting out the list of ports.

    ports: [2049]

  • type: tls

    Configure the ports where to listen for TLS traffic. You can disable

    the TLS protocol by commenting out the list of ports.

    ports:

    • 443 # HTTPS
    • 993 # IMAPS
    • 995 # POP3S
    • 5223 # XMPP over SSL
    • 8443
    • 8883 # Secure MQTT
    • 9243 # Elasticsearch

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

#================================ Logging =====================================

Sets log level. The default log level is info.

Available log levels are: error, warning, info, debug

logging.to_files: true
logging.level: debug

logging.files:
path: C:\Program Files\packetbeat\Logs
name: packetbeat
keepfiles: 7
permissions: 0644

2

I have two packetbeats running im my system, and one of them are seeing this issue. (The other one works well)

The only difference is that logstash is located on the localhost on one of them, the other one is remote.

3

And my stupidity is confirmed!

Use the packetbeat.exe device - and change the number accordingly! (....as stated in the user guide)

4

I'll give this a shot.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.