Packetbeat postgresql

philippkahr · April 11, 2018, 6:30am

Hallo,

I experience some funny errors when dealing with packetbeat and the postgresql module.
First of all, I can see Data being send to Elasticsearch and I can view them in Kibana.
Secondly, I think it is more a bug than a configuration error. Postgresql has about 250.000 queries per second, but I only get a few 100 lines per second send into my elasticsearch. Even when looking for an average over 15 Minutes, there are millions of lines missing.

How can I tackle this? Anybody an Idea what I can turn off / turn on in packetbeat to see why it is failing? I can find the following lines in the /var/log/packetbeat/packetbeat

2018-04-11T08:28:20.572+0200 WARN pgsql/parse.go:501 Pgsql parser expected data message, but received command of type 110
2018-04-11T08:28:30.193+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=13, i=8
2018-04-11T08:28:30.262+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=28, i=8
2018-04-11T08:28:32.742+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=138, i=3
2018-04-11T08:28:33.424+0200 WARN pgsql/parse.go:501 Pgsql parser expected data message, but received command of type 110
2018-04-11T08:28:33.425+0200 WARN pgsql/parse.go:501 Pgsql parser expected data message, but received command of type 110
2018-04-11T08:28:34.192+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=150, i=3
2018-04-11T08:28:36.205+0200 WARN pgsql/parse.go:501 Pgsql parser expected data message, but received command of type 110
2018-04-11T08:28:39.486+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=22, i=4
2018-04-11T08:28:39.488+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=60, i=4
2018-04-11T08:28:39.491+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=60, i=4
2018-04-11T08:28:39.492+0200 ERROR pgsql/parse.go:531 Pgsql invalid column_length=4294967295, buffer_length=60, i=4

andrewkroh · April 13, 2018, 1:28pm

There's probably some packet loss affecting Packetbeat's ability to reconstruct the postgres data. There's a metric that is logged at 30s intervals that indicates how many packets have been dropped. This happens when there's more data coming in that can be processed.

What are your settings in Packetbeat's config? If you are Linux try using af_packet and tuning some settings.

packetbeat.interfaces.device: eth0            # Don't use 'any'. Listen specifically on one interface.
packetbeat.interfaces.snaplen: 1514
packetbeat.interfaces.type: af_packet
packetbeat.interfaces.buffer_size_mb: 100

Disable flows if you aren't using them.

packetbeat.flows.enabled: false

And disable other protocols that you are not using. This will limit the amount of packets that Packetbeat is receiving such that it can use its resources for postgres data only.

philippkahr · April 14, 2018, 1:03pm

Thanks for the information with the buffer_size_mb, that really help it.

system · May 12, 2018, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues with PGSQL-Module \| Too much errors Beats packetbeat	6	965	August 31, 2018
[pgsql] Flow stop Beats packetbeat	5	1382	March 3, 2017
Pgsql invalid column_length Beats packetbeat	4	1692	July 5, 2017
Packetbeat: Postgres Module No Data Beats packetbeat	1	351	April 22, 2020
Packetbeat - Postgres - pgsql.error_code parsing issues Beats packetbeat	3	579	October 3, 2018

Packetbeat postgresql

Related topics