I am trying to introduce PacketBeat to the enterprise system for the security enhancement purpose. I have several questions. Could you please answer the following questions?
What is the maximum bps(supported bps) which does not lose any packets? I know it depends on hardware specification, but if you have any reference data, please let me know.
PacketBeat stores captured data into Elasticsearch. In this case, how much data does PacketBeat store into Elasticsearch per transaction? If you have any reference data, please let me know.
Is it possible for PacketBeat to build redundancy structure to implement high availability system which might have load balancing mechanism or cluster structure?
If you answer yes in question no.3, if one physical machine with PacketBeat has broken, is it possible to continue the process(packet capturing process and storing data process into Elasticsearch) with other machines?
When PacketBeat introduced machine has broken and fixed it, is it possible to continue the process(packet capturing process and storing data process into Elasticsearch) using the fixed machine without any problems?
For question 1 and 2 it is best that you setup your own test environment to see which numbers you hit. It heavily depends not only on the hardware, but also your network and obviously packetbeat configs.
Can you share some more details on what your planned setup is? We recommend to install packetbeat on each edge node so if one of the nodes fail, you will have all the packets from the other nodes still captured.
Packetbeat currently does not cache data locally as the amount of the data coming in can be massive. So if you have a network interruption the data is lost. That might change in the future when we potentially introduce a local queue.
Thank you for answering my questions. I set up my own environment to evaluate performance corresponding question1 and 2. The result was a few Mbps to capture data without any loss, and a few Kbyte data has been stored into Elasticsearch per second, respectively.
My conclusion is that the performance bottleneck is Disk I/O(I measured it using "sar" command on Linux). So, I might need to exchange HDD to SSD to improve disk IO.
I have limited hardware resources so I can not build several edge nodes on my environment. But thanks for your advice, I will set up several edge nodes in the near future.
capturing performance in packetbeat itself can be improved by enabling af_packet sniffer (needs 1 copy less then default pcap sniffer).
if packetbeat internal queue runs full, it drops transaction logs, to continue processing (protect internal state from packet loss)
performance highly depend on machine and capturing method... you will have to tune for your environment. That is, tuning requires packetbeat, optional message queue, and Elasitcsearch itself.
packetbeat can be deployed either on edge server or separately (e.g. tap-device or switch port-forwarding) -> have separate machine processing events. Personally I'd prefer to not have packetbeat run on Application servers itself.
Replication on packetbeat-level would require routing the packets to multiple machines having packetbeat installed (not explicitely provided by packetbeat, as must be supported by hardware). For redundancy/avilability + dealing with spikes in traffic (more data then ES-cluster can consume) kafka might be considered.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.