0

I am configuring Kubernetes based on aws ec2.

I use elasticsearch's packetbeat to get the geometric of clients accessing the service.

Istio is used as the service mesh of Kubernetes, and CLB is used for the load balancer.

I want to know the client ip accessing the service and the domain address the client accesses here.

my packetbeat.yml

setup.dashboards.enabled: true
setup.template.enabled: true

setup.template.settings:
  index.number_of_shards: 2

packetbeat.interfaces.device: eth0
packetbeat.interfaces.snaplen: 1514
packetbeat.interfaces.auto_promices_mode: true
packetbeat.interfaces.with_vlans: true

packetbeat.protocols:

- type: dhcpv4
  ports: [67, 68]

- type: dns
  ports: [53]
  include_authorities: true
  include_additionals: true

- type: http
  ports: [80,5601,8081,8002,5000, 8000, 8080, 9200]
  send_request: true
  send_response: true
  send_header: ["User-Agent", "Cookie", "Set-Cookie"]
  real_ip_header: "X-Forwarded-For"

- type: mysql
  ports: [3306, 3307]

- type: memcache
  ports: [11211]

- type: redis
  ports: [6379]

- type: pgsql
  ports: [5432]

- type: thrift
  ports: [9090]

- type: mongodb
  ports: [27017]

- type: cassandra
  ports: [9042]

- type: tls
  ports: [443, 993, 995, 5223, 8443, 8883,8883, 9243, 15021, 15443, 32440]
  send_request: true
  send_response: true
  send_all_headers: true
  include_body_for: ["text/html", "application/json"]

packetbeat.procs.enabled: true

packetbeat.flows:
  timeout: 30s
  period: 10s
  fields: ["server.domain"]

processors:
  - include_fields:
      fields:
        - source.ip
        - server.domain
  - add_dokcer_metadata:
  - add_host_metadata:
  - add_cloud_metadata:
  - add_kubernetes_metadata:
      host: ${HOSTNAME}
      indexers:
      - ip_port:
      matchers:
      - field_format:
          format: '%{[ip]}:%{[port]}'
          # with version 7 of Packetbeat use the following line instead of the one above.
          #format: '%{[destination.ip]}:%{[destination.port]}'

output.elasticsearch:
  hosts: ${ELASTICSEARCH_ADDRESS}
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}
  pipeline: geoip-info

setup.kibana:
  host: 'https://myhost:443'

my CLB listener

enter image description here

CLB has enabled proxy protocol.

But the packet beat doesn't bring me the data I want.

search for tls log

"client": {
  "port": 1196,
  "ip": "10.0.0.83"
},
"network": {
  "community_id": "1:+ARNMwsOGxkBkrmWfCVawtA1GKo=",
  "protocol": "tls",
  "transport": "tcp",
  "type": "ipv4",
  "direction": "egress"
},
"destination": {
  "port": 8443,
  "ip": "10.0.1.77",
  "domain": "my host domain"
},

search for flow.final: true

"event": {
  "duration": 1051434189423,
  "kind": "event",
  "start": "2022-10-28T05:25:14.171Z",
  "action": "network_flow",
  "end": "2022-10-28T05:42:45.605Z",
  "category": [
    "network_traffic",
    "network"
  ],
  "type": [
    "connection"
  ],
  "dataset": "flow"
},
"source": {
  "geo": {
    "continent_name": "Asia",
    "region_iso_code": "KR",
    "city_name": "Has-si",
    "country_iso_code": "KR",
    "country_name": "South Korea",
    "region_name": "Gg",
    "location": {
      "lon": 126.8168,
      "lat": 37.2072
    }
  },
  "port": 50305,
  "bytes": 24174,
  "ip": "my real ip address",
  "packets": 166
},

I can find out if I search separately, but there are no two points of contact.

I would like to see the log of the above two combined.

The domain the client accesses + real client ip.

please help me..

박성일
  • 123
  • 1
  • 2
  • 7

0 Answers0