Packetbeat unable to monitor mysql traffic

Elastic Stack Beats
1

I'm trying out packetbeat to monitor events for the mysql protocol. Packetbeat seems to be able to detect packets on destination.port: 3306 which is the default mysql port as shown in this screenshot here:

image
image1422×777 145 KB

But packetbeat gives zero results for network.protocol: mysql or type: mysql, as shown here:

image
image1350×537 63.4 KB

And this is why the default MySQL dashboards show no results, as shown here:

image
image1405×779 70.2 KB

My current setup is:

  • Elastic and Kibana version 8.5 are installed on the same server somewhere in North America (170.187.192.170)
  • Packetbeat version 8.5 and MySQL server version 8 are installed on the same server somewhere in Australia (194.195.121.47)
  • My MySQL client is installed on a server somewhere in Canada (172.105.5.73) , and I use the client to do a SELECT * FROM table once it connects to the server in Australia

This is my /etc/packetbeat/packetbeat.yml

packetbeat.interfaces.device: any
packetbeat.interfaces.poll_default_route: 1m
packetbeat.interfaces.internal_networks:
  - private
packetbeat.flows:
  timeout: 30s
  period: 10s
packetbeat.protocols:
- type: icmp
  enabled: true
- type: amqp
  ports: [5672]
- type: dhcpv4
  ports: [67, 68]
- type: dns
  ports: [53]
- type: http
  ports: [80, 8080, 8000, 5000, 8002]
- type: mysql
  ports: [3306,3307]
  send_request: true
  send_response: true
  enabled: true
- type: tls
  ports: [443]
- type: sip
  ports: [5060]
setup.template.settings:
  index.number_of_shards: 1
setup.dashboards.enabled: true
setup.kibana:
  host: "https://kibana.example.net:5601"
output.elasticsearch:
  hosts: ["elastic.example.net:9200"]
  protocol: "https"
  api_key: "${ES_API_KEY}"
  pipeline: geoip-info
processors:
  - # Add forwarded to tags when processing data from a network tap or mirror.
    if.contains.tags: forwarded
    then:
      - drop_fields:
          fields: [host]
    else:
      - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - detect_mime_type:
      field: http.request.body.content
      target: http.request.mime_type
  - detect_mime_type:
      field: http.response.body.content
      target: http.response.mime_type

There are no firewalls in involved. There is no port forwarding or traffic redirection involved. No VPNs were used.

How do I get packetbeat to monitor mysql traffic?

To install mysql, all I did was apt-get install mysql-server and then I used this for /etc/mysql/mysql.conf.d/mysql.conf

[mysqld]
user            = mysql
bind-address            = 0.0.0.0
mysqlx-bind-address     = 0.0.0.0
key_buffer_size         = 16M
myisam-recover-options  = BACKUP
log_error = /var/log/mysql/error.log
max_binlog_size   = 100M
1 Like
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.