Packetbeat parsing mongodb OP_MSG

chinaxushi · October 25, 2021, 5:39am

Mongodb version 3.6 and later added 'OP'_ MSG 'message type. When packet beat parses this type, the output field mongodb is empty. In addition, the most important thing is that there is no end time and no overall response time in the event output field
Parsing output of type OP_MSG:

  "mongodb": {},
  "resource": "",
  "event": {
    "start": "2021-10-23T08:28:16.778Z",
    "category": [
      "network_traffic",
      "network"
    ],
    "type": [
      "connection",
      "protocol"
    ],
    "kind": "event",
    "dataset": "mongodb"
  }

Parsing output of earlier types：

  "mongodb": {
    "fullCollectionName": "admin.$cmd",
    "numberToSkip": 0,
    "numberToReturn": 4294967295,
    "cursorId": 0,
    "startingFrom": 0,
    "numberReturned": 1
  },
  "resource": "admin.$cmd",
  "event": {
    "type": [
      "connection",
      "protocol"
    ],
    "kind": "event",
    "dataset": "mongodb",
    "duration": 139884,
    "start": "2021-07-27T08:27:27.473Z",
    "end": "2021-07-27T08:27:27.473Z",
    "category": [
      "network_traffic",
      "network"
    ]
  },

chinaxushi · October 27, 2021, 6:07am

Can't anyone answer it? What is the problem with the configuration, or does packetbeat not support mongodb's new message format well.

warkolm · October 27, 2021, 7:24am

It doesn't look like this is supported - Update MongoDB protocol with new opcodes · Issue #6191 · elastic/beats · GitHub

chinaxushi · October 27, 2021, 2:22pm

Thank you for your reply.

I have seen many issues before. My understanding is that the version of 6. X at that time does not support OP_MSG at all, and an error is reported directly in the background log. But now at least it can be resolved to be Op_ MSG type message. Only some data is missing, and it is still key data.

Does this mean that the current version of packetbeat has limited support for new mongdb messages?

warkolm · October 27, 2021, 9:13pm

It would appear so, yes.

chinaxushi · October 28, 2021, 2:38am

Do you need to create an issues on GitHub?

warkolm · October 28, 2021, 2:38am

There's one above, definitely comment on it

chinaxushi · October 28, 2021, 5:21am

Thank you. I have commented on

https://github.com/elastic/beats/issues/6191

chinaxushi · November 2, 2021, 2:25am

GitHub did not respond after replying. Is it because issues has been closed?

system · November 30, 2021, 4:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.