Using packetbeat-8.13.2-linux-x86_64 found that sometimes http.request do not match with the real http.response.body. The response.body belongs to another request.
Try change to period: -1s and use pcap instead af_packet, but same result.
What can cause this behavior ?
Configuration File
************************
packetbeat.interfaces.type: af_packet
packetbeat.interfaces.poll_default_route: 1m
packetbeat.interfaces.internal_networks:
- private
# Set `enabled: false` or comment out all options to disable flows reporting.
packetbeat.flows:
# Set network flow timeout. Flow is killed if no packet is received before being
# timed out.
timeout: 120s
# Configure reporting period. If set to -1s, only killed flows will be reported
period: -1s
packetbeat.protocols:
- type: icmp
# Enable ICMPv4 and ICMPv6 monitoring. The default is true.
enabled: true
- type: http
# Configure the ports where to listen for HTTP traffic. You can disable
# the HTTP protocol by commenting out the list of ports.
ports: [80]
#send_request: true
send_response: true
send_all_headers: true
# The list of content types for which Packetbeat includes the full HTTP
# response payload.
include_response_body_for: ['application/json','text/xml']
output.kafka:
hosts: ["localhost:9092"]
topic: "beats"
max_message_bytes: 5242880
processors:
- include_fields:
fields: ["@timestamp", "@metadata", "http", "destination", "flow.final", "flow.id", "url", "host", "agent", "status", "query", "client", "server", "event", "method", "type", "user_agent", "related", "response", "source", "network", "ecs" ]
- community_id:
source_ip: source.ip
source_port: source.port
destination_ip: destination.ip
destination_port: destination.port
query_rest: url.query
flow_id: flow.id
- add_cloud_metadata: ~
- add_docker_metadata: ~
- detect_mime_type:
field: http.request.body.content
target: http.request.mime_type
- detect_mime_type:
field: http.response.body.content
target: http.response.mime_type