Hi all,
I'm using packetbeat to capture http webservices traffic using SOAP , and I'm facing a lot of http requests that are logged as unmatched requests or responses. ( for example, 80k on 470k documents on last 24h had these error, with ~ 70% unmatched response, 15% Packet loss while capturing the request, and 15% unmatched request).
I use packetbeat on ~ 30 different VMs under proxmox, dispatched on around 10 hypervisors and have these uncomplete documents from all VMs.
Some has more error than others, I watched on VMs which have the most important count of erreor, but found nothing relevant on metrics (lot of cpu & memory free, network link not saturated)
I also use packetbeat on kubernetes containers, the behavior is the same on both platforms.
I've already read a lot of topics about it, and changed my conf from pcap to af_packet, but unfortunately this is not better.
I also tried to disable tcp offloading, but I still see unmatched documents.
Below actual config I use :
packetbeat.interfaces.device: eth0
packetbeat.interfaces.type: af_packet
packetbeat.interfaces.buffer_size_mb: 2048
packetbeat.interfaces.auto_promisc_mode: true
packetbeat.flows:
enabled: false
timeout: 30s
period: 10s
packetbeat.protocols:
- type: http
enabled: true
ports: [8200,8201,8202,8204,8205,8207,8208]
include_body_for: ["application/json","text/html","application/soap+xml","text/xml"]
send_all_headers: true
real_ip_header: "X-Forwarded-For"
send_request: false
send_response: false
keep_null: true
logging.metrics.enabled: false
packetbeat.procs.enabled: false
packetbeat.ignore_outgoing: false
processors:
- add_fields:
target: fields
fields:
context: 'prod'
tags: ["packetbeat"]
output.logstash:
enabled: true
hosts: ["ls1.vrack:5045","ls2.vrack:5045"]
Does anyone has an idea ?
regards
thomas