Comments (16)
Hi Cédric, thank you for the kind words. The project is still new so we're building up the documentation and the troubleshooting page. Some hints for the meantime;
- Please make sure you use version 0.3.2, there was a bug previously that cause MySQL not to work in many cases.
- We never tested yet with MariaDB, so there might be slight differences that cause issues. We'll get an instance to test with, but if you want to help, you can send as a short trace as described in: http://packetbeat.com/docs/troubleshooting.html#recording-a-trace
from beats.
Yes i'm using the 0.3.2.
Ok, your agent see nothing, because tcpdump see nothing too.
The trace is empty.
Traffic on localhost is not seen right ?
Also, the widget with a network flux does not appear for me. It's something missing like there is no matching network request from on side to the other ? (I'm think about the agent detect the FQDN, but the request are send to short hostnames)
from beats.
Traffic on localhost should be seen if you use the "any" or the "lo" devices.
To debug the network flux diagram, please check if the transactions from the Packetbeat Search dashboard have the src_server
and the dst_server
fields filled.
from beats.
Hi,
Same problem for me with mariaDB, everything is working except for the sql part.
Is packetbeat compatible with this DB ?
from beats.
Hi, I think this issue was that MariaDB was using a Unix socket. Maybe you have the same problem? Check if MariaDB is listening on port 3306 and if there are any packets seen by tcpdump on that port.
from beats.
Here is the result of netstat
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
....
Sockets du domaine UNIX actives(seulement serveurs)
Proto RefCnt Flags Type State I-Node Chemin
unix 2 [ ACC ] STREAM LISTENING 22255411 /var/run/php5-fpm.sock
unix 2 [ ACC ] STREAM LISTENING 3403 /var/run/fail2ban/fail2ban.sock
unix 2 [ ACC ] SEQPACKET LISTENING 9546 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 22255409 /var/lib/php5-fpm/web3.sock
unix 2 [ ACC ] STREAM LISTENING 22258597 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 10168 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 10176 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 21532588 /var/lib/apache2/fcgid/sock/28808.1
unix 2 [ ACC ] STREAM LISTENING 21532590 /var/lib/apache2/fcgid/sock/28808.2
unix 2 [ ACC ] STREAM LISTENING 21532592 /var/lib/apache2/fcgid/sock/28808.3
unix 2 [ ACC ] STREAM LISTENING 9961 /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 10478 /var/run/clamav/clamd.ctl
unix 2 [ ACC ] STREAM LISTENING 10253 @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 14076926 /var/run/apache2/cgisock.24770
MariaDB is correctly listening on port 3306
but when I launch tcpdump -i any 'port 3306'
no packet was logged.
Any idea ?
from beats.
config file in /etc/mysql/my.cnf
# MariaDB database server configuration file.
#
# You can copy this file to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc_messages_dir = /usr/share/mysql
lc_messages = fr_FR
skip-external-locking
from beats.
Try commenting out the socket line from the [client]
section of my.cnf, and then do a few queries using the mysql shell while watching with tcpdump. If you then see messages, likely the client is using the unix socket.
from beats.
nope, no packet.
Tried to launch query via shell and to navigate website, no dump.
Another strange behaviour :
On another server where packetbeat seems to work with mysql (purely mysql not mariaDB), we have many website (joomla based) and not all of the website MySQL queries are logged through tcpdump.
Websites are on the same server, use the same mysql server, with the same config file but have separate database for each.
Really strange
Where could this come from ?
I think it's the same problem for the server which doesn't work, there are only one website on this server, with only one db.
from beats.
Maybe using 127.0.0.1 instead of localhost ?
I will check this.
from beats.
OK I think I found the problem.
The non working websites on the working server have APC PHP cache enabled in Joomla and I think he should cache the SQL query in front.
What i did to find this :
I switch mysql host from localhost to the fully qualified domain, refresh website and i could see the queries in tcpdump, but only the first time I access the link, the second time no query dump.
On the other server, the one with only one website is running prestashop, and have memcache which should cache queries too.
I will do some tests and come back to report results.
from beats.
Thanks, sounds right indeed.
from beats.
OK really found the problem, don't know why, perhaps you could explain me.
I change in prestashop the db hostname from localhost to the fully qualified domain name, and instantly tcpdump give me all the queries dump. If I change back to localhost, no dump.
Everything is working fine now, packetbeat works fine.
Have you an explanation of this strange behaviour ?
from beats.
I think mysql/mariadb resolves internally "localhost" to "use the unix socket". As a test, you can try "127.0.0.1" instead of "localhost".
from beats.
Works well with 127.0.0.1.
Don't forget to add user permissions in database to 127.0.0.1 instead of localhost, otherwise connect will fail.
Thanks for help 👍
from beats.
Im not getting src_server and dst_server in packetbeat.. Help me
from beats.
Related Issues (20)
- Build 2352 for main with status FAILURE HOT 1
- Build 1031 for 7.17 with status FAILURE HOT 1
- Build 10 for 8.13 with status FAILURE HOT 2
- Dropped events in filestream / kubernetes autodiscover HOT 1
- Build 1032 for 7.17 with status FAILURE HOT 1
- [Filebeat] ETW input - Improve event filtering HOT 2
- [Filebeat] ETW input - make buffer size configurable HOT 3
- Build 1033 for 7.17 with status FAILURE HOT 1
- Build 2355 for main with status FAILURE HOT 2
- Build 129 for 8.12 with status FAILURE HOT 1
- Build 11 for 8.13 with status FAILURE HOT 1
- Build 2356 for main with status FAILURE HOT 1
- Build 2357 for main with status FAILURE HOT 1
- Build 130 for 8.12 with status FAILURE HOT 1
- Build 2358 for main with status FAILURE HOT 1
- Metricbeat is unable to connect to AWS OpenSearch service. ERROR 401 Unauthorized HOT 3
- [Metricbeat][System]`system.process.state` reports `sleeping` HOT 4
- [Agent] Most Host processes showing as 'sleeping' HOT 2
- [metricbeat/perfmon] Error reported when no error is present HOT 1
- Fleet: Allow authentication for air-gapped artifact store HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from beats.