Hi, we are experiencing a similar issue as in this post.
Configuration:
packetbeat.ignore_outgoing: true
setup.dashboards.enabled: true
setup.template.enabled: true
setup.template.name: "packetbeat"
setup.template.pattern: "packetbeat-*"
setup.template.settings:
index.number_of_shards: 2
setup.kibana:
host: "${KIBANA_HOST:kibana}:${KIBANA_PORT:5601}"
packetbeat.interfaces.device: any
packetbeat.protocols:
- type: http
ports: [5000, 3000]
include_body_for: ["application/json", "application/x-www-form-urlencoded"]
hide_keywords: ["pass", "password", "passwd", "pwd", "token", "client_secret", "access_token", "id_token"]
send_headers: ["User-Agent", "Cookie", "Set-Cookie"]
split_cookie: true
real_ip_header: "X-Forwarded-For"
redact_authorization: true
redact_headers: ['Cookie', 'Set-Cookie']
- type: tls
enabled: false
ports:
- 443 # HTTPS
- 80 # HTTPS
- type: cassandra
enabled: false
- type: memcache
enabled: false
- type: mysql
enabled: false
- type: pgsql
enabled: false
- type: thrift
enabled: false
- type: mongodb
enabled: false
processors:
- truncate_fields:
fields:
- http.response.body
max_bytes: 8388608
fail_on_error: false
ignore_missing: true
- truncate_fields:
fields:
- http.request.body
max_bytes: 5242880
fail_on_error: false
ignore_missing: true
- copy_fields:
fields:
- from: network.forwarded_ip
to: client.ip
fail_on_error: false
ignore_missing: true
- add_kubernetes_metadata:
host: ${NODE_NAME}
default_indexers.enabled: false
default_matchers.enabled: false
indexers:
- ip_port:
matchers:
- field_format:
format: '%{[ip]}:%{[port]}'
The Cluster has multiple nodes and Packetbeat is deployed as a DaemonSet (one agent per physical node). When two pods that are in the same node communicate, there are no duplicates. When they are running in different nodes, 3 records show up:
- A pair of duplicates: source pod -> destination pod. The only difference is the
agent
metadata, one with the source node and the other one with the destination node. - A third event: source pod -> destination service.
We couldn't find any way to remove these duplicates. Shouldn't packetbeat.ignore_outgoing: true
prevent one of the duplicated events from being logged?
Any hints on how to solve this?