botelastic[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hi all,
I'm running into a weird issue with Packetbeat whereby the HTTP traffic reported has incorrect details logged.
The setup is this: packetbeat > local logstash > remote redis installation > logstash > elasticsearch. Note that I have no processing of the data from packetbeat on any logstash instance, they're simply shippers. In addition, I'm using the same setup for topbeat and winlogbeat as well and have not ran into any issues.
Digging through data logged in ES (using Kibana) I ran into some weird data whereby, according to packetbeat data, requests for certain JS resources were redirected to image files. I've crosschecked the entries logged by IIS with the packetbeat entries and I can see that there's a mismatch in event data:
IIS recorded data:
The WEB server is doing redirects (301) for lowercasing so /resources/SiteResources/My+Folder/static_pages/media_partnerships/slides/google.jpg becomes /resources/siteresources/my+folder/static_pages/media_partnerships/slides/google.jpg which is correctly reported in the IIS logs as a 301 for the image call, with the correct referrer. The JS call is separately and correctly reported in IIS as a 200 status request also with the correct referrer.
However, it looks like packetbeat combined these two requests into a single request and took bits of each (i.e. the code, referrer, user-agent and the response location from one, and the path from the other). In addition, packetbeat never recorded the 200 status request for the JS.
Below are the configuration files for packetbeat setup: