I'm using packetbeat to capture http webservices traffic using SOAP , and I'm facing a lot of http requests that are logged as unmatched requests or responses. ( for example, 80k on 470k documents on last 24h had these error, with ~ 70% unmatched response, 15% Packet loss while capturing the request, and 15% unmatched request).
I use packetbeat on ~ 30 different VMs under proxmox, dispatched on around 10 hypervisors and have these uncomplete documents from all VMs.
Some has more error than others, I watched on VMs which have the most important count of erreor, but found nothing relevant on metrics (lot of cpu & memory free, network link not saturated)
I also use packetbeat on kubernetes containers, the behavior is the same on both platforms.
I've already read a lot of topics about it, and changed my conf from pcap to af_packet, but unfortunately this is not better.
I also tried to disable tcp offloading, but I still see unmatched documents.
Below actual config I use :
packetbeat.interfaces.device: eth0 packetbeat.interfaces.type: af_packet packetbeat.interfaces.buffer_size_mb: 2048 packetbeat.interfaces.auto_promisc_mode: true packetbeat.flows: enabled: false timeout: 30s period: 10s packetbeat.protocols: - type: http enabled: true ports: [8200,8201,8202,8204,8205,8207,8208] include_body_for: ["application/json","text/html","application/soap+xml","text/xml"] send_all_headers: true real_ip_header: "X-Forwarded-For" send_request: false send_response: false keep_null: true logging.metrics.enabled: false packetbeat.procs.enabled: false packetbeat.ignore_outgoing: false processors: - add_fields: target: fields fields: context: 'prod' tags: ["packetbeat"] output.logstash: enabled: true hosts: ["ls1.vrack:5045","ls2.vrack:5045"]
Does anyone has an idea ?