Packetbeat is not monitoring any network traffic!

DharaniKumar · August 9, 2017, 8:59am

Hi,
i'm using packetbeat 5.5.0 in my ubuntu machine. For test sake i commented out all the protocols except mysql(in my old app server), as i wanted to monitor mysql traffic in kibana. But i don't know whats the issue around this. Strange thing is when i used another app server which in that i didn't installed a mysql server, but in that it shows mysql protocol traffic. Any kind of help is welcome.

Thanks in advance.

DharaniKumar · August 9, 2017, 10:36am

Even when i did insert or delete datas from my table those actions where not monitored in packetbeat

andrewkroh · August 9, 2017, 10:29pm

Here are some things to check:

Make sure you have packetbeat sniffing on the correct interface. Probably you have any configured since you are on Linux.
Make sure you have it monitoring the correct mysql port you are using.
Make sure you have traffic going to mysql over the network and not through a unix socket like /var/lib/mysql/mysql.sock.

DharaniKumar · August 10, 2017, 11:38am

There is no file name like mysql.sock in the directory you've mentioned @andrewkroh

andrewkroh · August 10, 2017, 1:02pm

The location of the socket may be different (and it doesn't really matter). Just ensure that whatever method you use to communicate with the server is over TCP and not a unix socket. If you are using the mysql CLI tool there are parameters you can pass to ensure it uses TCP. See Connecting to the MySQL Server.

DharaniKumar · August 10, 2017, 1:21pm

We aren't using any mysql client @andrewkroh. It seems, mysql is running on TCP/IP on 3306 port in my ubuntu server.

root@sappserver:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1703/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1487/sshd
tcp6 0 0 :::80 :::* LISTEN 3062/apache2
tcp6 0 0 :::22 :::* LISTEN 1487/sshd

Any help?

andrewkroh · August 10, 2017, 2:02pm

Is the traffic to mysql encrypted? Packetbeat won't be able to monitor the traffic if it is. What is the client? How is it configured?

You can also try to enable debug in Packetbeat (logging.level: debug in your config file) so see if this provides any clues.

DharaniKumar · August 11, 2017, 5:32am

I've mysql server installed in my ubuntu machine. I didnt installed any mysql client in my ubuntu.

So we need to install both mysql server and client in the same machine to monitor mysql traffic through packetbeat?

Also tell me some steps to how to find whether my mysql traffic is encrypted or not.

Thank You.

andrewkroh · August 11, 2017, 5:52pm

The client can be on a different host.

I think newer versions use SSL by default. You'll have to check the mysql docs. You can disable SSL on either the client-side or on the server.

DharaniKumar · August 12, 2017, 4:08am

Thanks for your help @andrewkroh i got the problem solved.
The issue is we didnt published packetbeat to monitor mysql traffic.
sudo ./packetbeat -configtest -e -c /etc/packetbeat/packetbeat.yml is what i used in my terminal and opened another terminal for using mysql operations.
When i used mysql commands it showed the mysql traffic.
Anyways thanks for time and help @andrewkroh it will be used for someothers with the same issue.

system · August 30, 2017, 8:59am

This topic was automatically closed after 21 days. New replies are no longer allowed.