I have a sensor with a i5-4590, 8GB memory running packetbeat and am still getting "dropped_because_of_gaps"
I've followed all the directions about enabling af_packet, etc yet even on a low traffic link (1-5mbps) I still get dropped events - what else can I do?
Would you be able to share the packetbeat.yml configuration? Just wanted to check what settings are currently configured.
Yep can do 
I saw you mentioned that you had enabled af_packet, but it is currently disabled here: packetbeat 7.12.0 config template · GitHub
Do you know if you had tried to comment that one out? It should commonly resolve the issue.
However, if it does not work, and you are still seeing issues, could you try to set this one to false, and just see if it helps, at least then we are able to narrow it down a bit more:
sorry that was a typo - yep I've tried both pcap and af_packet and get the same result.
I want to capture flows so turning that off won't really help. How can I get to the bottom of this?
So the above configuration, is af_packet currently enable, and no other fields are different from the configuration you linked?
The reason I wanted to disable it, was not to provide it as a solution, but to try to find out what might cause your issue.
Would you be able to share a logfile for example? It might include sensitive information, so if its not from a test environment of some sort, I was just wondering where you found your metrics and if you could grep the logfiles for any "ERROR" or "WARN" as well after restarting it and letting it run for a couple of minutes.
Yes that is right. Yes if I disable flows then I get no dropped_because_of_gaps errors but I can only get those if it is monitoring flows!
Here is a link to the logs packetbeat.log · GitHub
There are no errors, just a warning regarding SIP. BTW packetbeat is running in a container
any ideas @Marius_Iversen ? should I file a PR as I'd really like to get this working?
If I am an Elastic cloud client can I get commercial support for this @Marius_Iversen ?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.