Hello,
I am using packetbeat version 7.13.3, I run it since 3 days and it was working, and today I went to check and found out that it stopped since 12 hours, with some warning at the end of the logs and error.
Packetbeat logs:
2021-07-12T15:35:38.550+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (910643 bytes)
2021-07-12T15:35:39.624+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (16698146 bytes)
2021-07-12T15:35:41.674+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2671,"time":{"ms":281}},"total":{"ticks":66983,"time":{"ms":2281},"value":66983},"user":{"ticks":64312,"time":{"ms":2000}}},"handles":{"open":232},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20760406}},"memstats":{"gc_next":64547136,"memory_alloc":50173680,"memory_sys":21648360,"memory_total":8157649496,"rss":129458176},"runtime":{"goroutines":60}},"dhcpv4":{"total_packets":4},"dns":{"unmatched_responses":1},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":1147,"active":0,"batches":30,"total":1147},"read":{"bytes":253671},"write":{"bytes":1591177}},"pipeline":{"clients":30,"events":{"active":0,"published":976,"total":976},"queue":{"acked":1147}}},"tcp":{"dropped_because_of_gaps":227}}}}
2021-07-12T15:36:11.676+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":3500,"time":{"ms":829}},"total":{"ticks":79000,"time":{"ms":12017},"value":79000},"user":{"ticks":75500,"time":{"ms":11188}}},"handles":{"open":233},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20790405}},"memstats":{"gc_next":94774448,"memory_alloc":48710600,"memory_sys":26305712,"memory_total":10088534720,"rss":145473536},"runtime":{"goroutines":63}},"dns":{"unmatched_requests":1,"unmatched_responses":9},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":4215,"active":150,"batches":94,"total":4365},"read":{"bytes":929161},"write":{"bytes":5904990}},"pipeline":{"clients":30,"events":{"active":755,"published":4970,"total":4970},"queue":{"acked":4215}}},"tcp":{"dropped_because_of_gaps":1925}}}}
2021-07-12T15:36:41.675+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":4359,"time":{"ms":859}},"total":{"ticks":92421,"time":{"ms":13421},"value":92421},"user":{"ticks":88062,"time":{"ms":12562}}},"handles":{"open":233},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20820405}},"memstats":{"gc_next":96697456,"memory_alloc":67682808,"memory_sys":53348704,"memory_total":11991319392,"rss":175923200},"runtime":{"goroutines":63}},"dns":{"unmatched_requests":1},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":12629,"active":150,"batches":256,"total":12629},"read":{"bytes":2781370},"write":{"bytes":16886187}},"pipeline":{"clients":30,"events":{"active":4497,"published":15820,"total":15821},"queue":{"acked":12079}}},"tcp":{"dropped_because_of_gaps":5584}}}}
2021-07-12T15:36:58.270+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (1960879 bytes)
2021-07-12T15:37:11.822+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":5156,"time":{"ms":797}},"total":{"ticks":105687,"time":{"ms":13266},"value":105687},"user":{"ticks":100531,"time":{"ms":12469}}},"handles":{"open":236},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20850427}},"memstats":{"gc_next":63485296,"memory_alloc":55542800,"memory_sys":65536,"memory_total":13774723016,"rss":173740032},"runtime":{"goroutines":60}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":22802,"active":0,"batches":457,"total":22652},"read":{"bytes":5021491},"write":{"bytes":30280290}},"pipeline":{"clients":30,"events":{"active":1024,"published":19880,"total":19879},"queue":{"acked":23352}}},"tcp":{"dropped_because_of_gaps":3935}}}}
2021-07-12T15:37:20.678+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (7440300 bytes)
2021-07-12T15:37:28.029+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (7043748 bytes)
2021-07-12T15:37:34.963+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (5347974 bytes)
2021-07-12T15:37:41.678+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":6078,"time":{"ms":922}},"total":{"ticks":120124,"time":{"ms":14453},"value":120124},"user":{"ticks":114046,"time":{"ms":13531}}},"handles":{"open":238},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20880405}},"memstats":{"gc_next":96921024,"memory_alloc":59060224,"memory_sys":13054552,"memory_total":15684638344,"rss":186351616},"runtime":{"goroutines":63}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":21865,"active":150,"batches":442,"total":22015},"read":{"bytes":4814768},"write":{"bytes":29452514}},"pipeline":{"clients":30,"events":{"active":3730,"published":24571,"total":24571},"queue":{"acked":21865}}},"tcp":{"dropped_because_of_gaps":3923}}}}
2021-07-12T15:37:53.405+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (1408198 bytes)
2021-07-12T15:38:11.678+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":6828,"time":{"ms":750}},"total":{"ticks":134546,"time":{"ms":14406},"value":134546},"user":{"ticks":127718,"time":{"ms":13656}}},"handles":{"open":236},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20910405}},"memstats":{"gc_next":101259312,"memory_alloc":82474312,"memory_total":17702936272,"rss":187121664},"runtime":{"goroutines":63}},"dns":{"unmatched_requests":1},"http":{"unmatched_responses":2},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":19792,"active":150,"batches":399,"total":19792},"read":{"bytes":4358521},"write":{"bytes":26456487}},"pipeline":{"clients":30,"events":{"active":4190,"published":20252,"total":20252},"queue":{"acked":19792}}},"tcp":{"dropped_because_of_gaps":4052}}}}
2021-07-12T15:38:41.718+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":7796,"time":{"ms":968}},"total":{"ticks":149389,"time":{"ms":14843},"value":149389},"user":{"ticks":141593,"time":{"ms":13875}}},"handles":{"open":236},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20940430}},"memstats":{"gc_next":108797072,"memory_alloc":92282616,"memory_total":19706601032,"rss":206483456},"runtime":{"goroutines":63}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":20188,"active":150,"batches":405,"total":20188},"read":{"bytes":4445395},"write":{"bytes":26984839}},"pipeline":{"clients":30,"events":{"active":2062,"published":18060,"total":18060},"queue":{"acked":20188}}},"tcp":{"dropped_because_of_gaps":2291}}}}
2021-07-12T15:38:42.243+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (11476816 bytes)
2021-07-12T15:38:53.790+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (11400775 bytes)
2021-07-12T15:39:11.680+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":8609,"time":{"ms":813}},"total":{"ticks":163905,"time":{"ms":14516},"value":163905},"user":{"ticks":155296,"time":{"ms":13703}}},"handles":{"open":233},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":20970405}},"memstats":{"gc_next":95086784,"memory_alloc":69534104,"memory_total":21671082768,"rss":171073536},"runtime":{"goroutines":63}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":14755,"active":150,"batches":297,"total":14755},"read":{"bytes":3249219},"write":{"bytes":19742187}},"pipeline":{"clients":30,"events":{"active":2877,"published":15570,"total":15570},"queue":{"acked":14755}}},"tcp":{"dropped_because_of_gaps":4020}}}}
2021-07-12T15:39:41.683+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":9406,"time":{"ms":797}},"total":{"ticks":177906,"time":{"ms":14001},"value":177906},"user":{"ticks":168500,"time":{"ms":13204}}},"handles":{"open":233},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":21000405}},"memstats":{"gc_next":113527616,"memory_alloc":61268544,"memory_total":23592919080,"rss":165408768},"runtime":{"goroutines":63}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":19239,"active":150,"batches":386,"total":19239},"read":{"bytes":4236472},"write":{"bytes":25708096}},"pipeline":{"clients":30,"events":{"active":4497,"published":20858,"total":20859},"queue":{"acked":19239}}},"tcp":{"dropped_because_of_gaps":5950}}}}
2021-07-12T15:39:53.891+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (8504938 bytes)
2021-07-12T15:40:11.683+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10609,"time":{"ms":1203}},"total":{"ticks":192780,"time":{"ms":14874},"value":192780},"user":{"ticks":182171,"time":{"ms":13671}}},"handles":{"open":233},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":21030405}},"memstats":{"gc_next":104749184,"memory_alloc":87504320,"memory_sys":13251160,"memory_total":25528929184,"rss":189976576},"runtime":{"goroutines":63}},"dhcpv4":{"total_packets":2},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":26783,"active":150,"batches":540,"total":26783},"read":{"bytes":5898052},"write":{"bytes":35770369}},"pipeline":{"clients":30,"events":{"active":4497,"published":26783,"total":26783},"queue":{"acked":26783}}},"tcp":{"dropped_because_of_gaps":3755}}}}
2021-07-12T15:40:41.684+0200 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":11546,"time":{"ms":937}},"total":{"ticks":208217,"time":{"ms":15437},"value":208217},"user":{"ticks":196671,"time":{"ms":14500}}},"handles":{"open":233},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":21060405}},"memstats":{"gc_next":87441200,"memory_alloc":54969288,"memory_total":27693555264,"rss":200450048},"runtime":{"goroutines":63}},"dns":{"unmatched_responses":1},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":20978,"active":150,"batches":422,"total":20978},"read":{"bytes":4619557},"write":{"bytes":28066656}},"pipeline":{"clients":30,"events":{"active":2401,"published":18883,"total":18882},"queue":{"acked":20978}}},"tcp":{"dropped_because_of_gaps":2898}}}}
2021-07-12T15:40:45.496+0200 WARN tls/parse.go:249 Error parsing handshake message: message too large (15200955 bytes)
21-07-12T15:52:59.721+0200 INFO flows/util.go:64 flows worker loop stopped
2021-07-12T15:52:59.733+0200 INFO [monitoring] log/log.go:152 Total non-zero metrics {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":21359,"time":{"ms":21359}},"total":{"ticks":375234,"time":{"ms":375234},"value":375234},"user":{"ticks":353875,"time":{"ms":353875}}},"handles":{"open":234},"info":{"ephemeral_id":"23e55ead-2125-4d5b-b3a5-829045365974","uptime":{"ms":21798428}},"memstats":{"gc_next":45701248,"memory_alloc":43745152,"memory_sys":204458274,"memory_total":49613610808,"rss":100585472},"runtime":{"goroutines":58}},"dhcpv4":{"total_packets":562},"dns":{"unmatched_requests":3,"unmatched_responses":11},"http":{"unmatched_requests":1,"unmatched_responses":5},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":698562,"active":0,"batches":15593,"total":698562},"read":{"bytes":154030766},"type":"elasticsearch","write":{"bytes":926203112}},"pipeline":{"clients":30,"events":{"active":158,"published":698720,"retry":6,"total":698720},"queue":{"acked":698562,"max_events":4096}}},"system":{"cpu":{"cores":2}},"tcp":{"dropped_because_of_gaps":85004}}}}
2021-07-12T15:52:59.830+0200 INFO [monitoring] log/log.go:153 Uptime: 6h3m18.5301683s
2021-07-12T15:52:59.830+0200 INFO [monitoring] log/log.go:130 Stopping metrics logging.
2021-07-12T15:52:59.837+0200 INFO instance/beat.go:479 packetbeat stopped.
2021-07-12T15:52:59.840+0200 ERROR instance/beat.go:989 Exiting: sniffer loop failed: Sniffing error: Read Error
I restarted packetbeat and now it's working, but it's just to let you know that packetbeat will stop in this kind of errors. so maybe you add some exceptions !
Best regards