Filebeat spec is incorporating Packetbeat inputs into its config #427
Description
When an agent policy contains the Packetbeat redis input, Elastic Agent is generating config for Filebeat that includes a redis log input. The policy for Packetbeat uses input type: packet with a data_stream of type: redis. For example:
# agent policy
inputs:
- type: packet
streams:
- data_stream:
dataset: network_traffic.redis
type: logs
type: redis
ports:
- 6379The impact is that this causes Filebeat to report UNHEALTHY status if Packetbeat is deployed at the same time. A workaround is to disable redis collection in the Network Packet Capture integration.
Here is a patch to the Elastic Agent testdata that reproduces the bug using unit tests:
Details
diff --git a/internal/pkg/agent/program/testdata/single_config-packetbeat.yml b/internal/pkg/agent/program/testdata/single_config-packetbeat.yml
index f800d0bd2..4ea37b1fb 100644
--- a/internal/pkg/agent/program/testdata/single_config-packetbeat.yml
+++ b/internal/pkg/agent/program/testdata/single_config-packetbeat.yml
@@ -23,6 +23,13 @@ inputs:
data_stream:
dataset: packet.icmp
type: logs
+ - data_stream:
+ dataset: network_traffic.redis
+ type: logs
+ id: packet-network_traffic.redis-387bdc6a-0acb-4ef2-9552-c21e524a2d21
+ ports:
+ - 6379
+ type: redis
output:
elasticsearch:
hosts:
diff --git a/internal/pkg/agent/program/testdata/single_config.yml b/internal/pkg/agent/program/testdata/single_config.yml
index 16a03f9a7..140a61f79 100644
--- a/internal/pkg/agent/program/testdata/single_config.yml
+++ b/internal/pkg/agent/program/testdata/single_config.yml
@@ -104,6 +104,13 @@ inputs:
data_stream:
dataset: packet.icmp
type: logs
+ - data_stream:
+ dataset: network_traffic.redis
+ type: logs
+ id: packet-network_traffic.redis-387bdc6a-0acb-4ef2-9552-c21e524a2d21
+ ports:
+ - 6379
+ type: redis
- id: endpoint-id
type: endpoint
name: endpoint-1Workarounds
You can disable the redis protocol in the network packet capture integration.
