FAQ or something for debug of users ? (I get issue with mysql and no place for asking or getting FAQ) about beats HOT 16 CLOSED

Hi Cédric, thank you for the kind words. The project is still new so we're building up the documentation and the troubleshooting page. Some hints for the meantime;

• Please make sure you use version 0.3.2, there was a bug previously that cause MySQL not to work in many cases.
• We never tested yet with MariaDB, so there might be slight differences that cause issues. We'll get an instance to test with, but if you want to help, you can send as a short trace as described in: http://packetbeat.com/docs/troubleshooting.html#recording-a-trace

from beats.

Yes i'm using the 0.3.2.
Ok, your agent see nothing, because tcpdump see nothing too.
The trace is empty.

Traffic on localhost is not seen right ?

Also, the widget with a network flux does not appear for me. It's something missing like there is no matching network request from on side to the other ? (I'm think about the agent detect the FQDN, but the request are send to short hostnames)

from beats.

Traffic on localhost should be seen if you use the "any" or the "lo" devices.

To debug the network flux diagram, please check if the transactions from the Packetbeat Search dashboard have the src_server and the dst_server fields filled.

from beats.

Hi,

Same problem for me with mariaDB, everything is working except for the sql part.
Is packetbeat compatible with this DB ?

from beats.

Hi, I think this issue was that MariaDB was using a Unix socket. Maybe you have the same problem? Check if MariaDB is listening on port 3306 and if there are any packets seen by tcpdump on that port.

from beats.

Here is the result of netstat

Proto Recv-Q Send-Q Adresse locale          Adresse distante        Etat       
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
....
Sockets du domaine UNIX actives(seulement serveurs)
Proto RefCnt Flags       Type       State         I-Node   Chemin
unix  2      [ ACC ]     STREAM     LISTENING     22255411 /var/run/php5-fpm.sock
unix  2      [ ACC ]     STREAM     LISTENING     3403     /var/run/fail2ban/fail2ban.sock
unix  2      [ ACC ]     SEQPACKET  LISTENING     9546     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     22255409 /var/lib/php5-fpm/web3.sock
unix  2      [ ACC ]     STREAM     LISTENING     22258597 /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     10168    /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     10176    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     21532588 /var/lib/apache2/fcgid/sock/28808.1
unix  2      [ ACC ]     STREAM     LISTENING     21532590 /var/lib/apache2/fcgid/sock/28808.2
unix  2      [ ACC ]     STREAM     LISTENING     21532592 /var/lib/apache2/fcgid/sock/28808.3
unix  2      [ ACC ]     STREAM     LISTENING     9961     /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     10478    /var/run/clamav/clamd.ctl
unix  2      [ ACC ]     STREAM     LISTENING     10253    @/tmp/fam-root-
unix  2      [ ACC ]     STREAM     LISTENING     14076926 /var/run/apache2/cgisock.24770

MariaDB is correctly listening on port 3306
but when I launch tcpdump -i any 'port 3306' no packet was logged.

Any idea ?

from beats.

config file in /etc/mysql/my.cnf

# MariaDB database server configuration file.
#
# You can copy this file to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
# 
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port            = 3306
socket          = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket          = /var/run/mysqld/mysqld.sock
nice            = 0

[mysqld]
#
# * Basic Settings
#
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
lc_messages_dir = /usr/share/mysql
lc_messages     = fr_FR
skip-external-locking

from beats.

Try commenting out the socket line from the [client] section of my.cnf, and then do a few queries using the mysql shell while watching with tcpdump. If you then see messages, likely the client is using the unix socket.

from beats.

nope, no packet.
Tried to launch query via shell and to navigate website, no dump.

Another strange behaviour :
On another server where packetbeat seems to work with mysql (purely mysql not mariaDB), we have many website (joomla based) and not all of the website MySQL queries are logged through tcpdump.

Websites are on the same server, use the same mysql server, with the same config file but have separate database for each.

Really strange

Where could this come from ?

I think it's the same problem for the server which doesn't work, there are only one website on this server, with only one db.

from beats.

Maybe using 127.0.0.1 instead of localhost ?
I will check this.

from beats.

OK I think I found the problem.

The non working websites on the working server have APC PHP cache enabled in Joomla and I think he should cache the SQL query in front.

What i did to find this :
I switch mysql host from localhost to the fully qualified domain, refresh website and i could see the queries in tcpdump, but only the first time I access the link, the second time no query dump.

On the other server, the one with only one website is running prestashop, and have memcache which should cache queries too.

I will do some tests and come back to report results.

from beats.

Thanks, sounds right indeed.

from beats.

OK really found the problem, don't know why, perhaps you could explain me.
I change in prestashop the db hostname from localhost to the fully qualified domain name, and instantly tcpdump give me all the queries dump. If I change back to localhost, no dump.

Everything is working fine now, packetbeat works fine.

Have you an explanation of this strange behaviour ?

from beats.

I think mysql/mariadb resolves internally "localhost" to "use the unix socket". As a test, you can try "127.0.0.1" instead of "localhost".

from beats.

Works well with 127.0.0.1.
Don't forget to add user permissions in database to 127.0.0.1 instead of localhost, otherwise connect will fail.

Thanks for help 👍

from beats.

Im not getting src_server and dst_server in packetbeat.. Help me

from beats.