Packetbeats use mysql module, respontime display negative,path not only tablename

Elastic Stack Beats
1

Hi, I am Sorry, My English is not good, Please understand。

I use packetbeats as mysql Behavioral audit,Collect Architecture is packetbeats --> kafka --> logstash --> es --> kibana/grafana。

I has three problem.

  1. path fields not only display tablename.
  2. response fields display garbled.
  3. responsetime fileds display negative

Packetbeat client setting is
#============================== Network device ================================

packetbeat.interfaces.device: any
packetbeat.interfaces.type: af_packet
packetbeat.interfaces.snaplen: 65535
packetbeat.interfaces.buffer_size_mb: 100

packetbeat.flows:
enabled: false

#============================== Protocols ====================================
packetbeat.protocols:

  • type: icmp
    enabled: false

  • type: amqp
    enabled: false

  • type: cassandra
    enabled: false

  • type: dns
    enabled: false

  • type: http
    enabled: false

  • type: memcache
    enabled: false

  • type: mysql
    enabled: true
    ports: [3307]
    send_request: false
    send_response: true
    max_rows: 40
    max_row_length: 4096
    transaction_timeout: 90s

  • type: mysql
    enabled: false
    ports: [3306]
    send_request: false
    send_response: true
    max_rows: 40
    max_row_length: 4096
    transaction_timeout: 30s

  • type: pgsql
    enabled: false

  • type: redis
    enabled: false

  • type: thrift
    enabled: false

  • type: mongodb
    enabled: false

  • type: nfs
    enabled: false
    ports: [2049]

  • type: tls
    enabled: false

#=====================================================================
fields_under_root: true
max_procs: 1

processors:

  • drop_fields:
    fields: ["beat","proc","client_proc","release"]

#================================ Outputs ======================================
output.elasticsearch:
enabled: false

#----------------------------- Logstash output ---------------------------------
output.logstash:
enabled: false

#------------------------------- Kafka output ----------------------------------
output.kafka:
enabled: true
hosts: ["ip:port"]
topic: mysql-topic
worker: 4
max_retries: 3
max_message_bytes: 1200000

output.redis:
enabled: false
#----------------------------- Console output ---------------------------------
output.console:
enabled: false
pretty: true
#logging.level: error
logging.level: debug
#=====================#
packetbeats servier debug display

respontime
respontime.png1118×503 16.3 KB

path_response_fields
path_response_fields.png1029×805 23.2 KB

2

Thanks for your report. I'm not familiar with the mysql protocol, need some time to investigate what is going on. It looks like there's a problem with the response/request correlation.

Will open an issue to keep track of this.

Which version of packetbeat are you using? Although the mysql protocol hasn't changed recently.

Can you share a packet capture (pcap) that exposes this problems? Only if there's no sensitive data in it, of course.

To do so, run packetbeat with --dump filename.pcap and test it with -t -I filename.pcap.

Edit:
Here's the issue I created

3

Hi, I am sorry. Run packetbeat collect mysql aduit behavioral .

image
image.png1832×419 26.6 KB

4

I had the same problem, My packetbeat version is 5.0.2, Do you fix it now?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.