I'm trying out packetbeat to monitor events for the mysql protocol. Packetbeat seems to be able to detect packets on destination.port: 3306
which is the default mysql port as shown in this screenshot here:
But packetbeat gives zero results for network.protocol: mysql or type: mysql
, as shown here:
And this is why the default MySQL dashboards show no results, as shown here:
My current setup is:
- Elastic and Kibana version 8.5 are installed on the same server somewhere in North America (170.187.192.170)
- Packetbeat version 8.5 and MySQL server version 8 are installed on the same server somewhere in Australia (194.195.121.47)
- My MySQL client is installed on a server somewhere in Canada (172.105.5.73) , and I use the client to do a
SELECT * FROM table
once it connects to the server in Australia
This is my /etc/packetbeat/packetbeat.yml
packetbeat.interfaces.device: any
packetbeat.interfaces.poll_default_route: 1m
packetbeat.interfaces.internal_networks:
- private
packetbeat.flows:
timeout: 30s
period: 10s
packetbeat.protocols:
- type: icmp
enabled: true
- type: amqp
ports: [5672]
- type: dhcpv4
ports: [67, 68]
- type: dns
ports: [53]
- type: http
ports: [80, 8080, 8000, 5000, 8002]
- type: mysql
ports: [3306,3307]
send_request: true
send_response: true
enabled: true
- type: tls
ports: [443]
- type: sip
ports: [5060]
setup.template.settings:
index.number_of_shards: 1
setup.dashboards.enabled: true
setup.kibana:
host: "https://kibana.example.net:5601"
output.elasticsearch:
hosts: ["elastic.example.net:9200"]
protocol: "https"
api_key: "${ES_API_KEY}"
pipeline: geoip-info
processors:
- # Add forwarded to tags when processing data from a network tap or mirror.
if.contains.tags: forwarded
then:
- drop_fields:
fields: [host]
else:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- detect_mime_type:
field: http.request.body.content
target: http.request.mime_type
- detect_mime_type:
field: http.response.body.content
target: http.response.mime_type
There are no firewalls in involved. There is no port forwarding or traffic redirection involved. No VPNs were used.
How do I get packetbeat to monitor mysql traffic?
To install mysql, all I did was apt-get install mysql-server
and then I used this for /etc/mysql/mysql.conf.d/mysql.conf
[mysqld]
user = mysql
bind-address = 0.0.0.0
mysqlx-bind-address = 0.0.0.0
key_buffer_size = 16M
myisam-recover-options = BACKUP
log_error = /var/log/mysql/error.log
max_binlog_size = 100M