Remote IP of incoming connections?

[MattRiesterer]

Hi,

we want to use connbeat to monitor the connections of a server. What I do not get so far: Do you report the remote IP of incoming connections? This would be particularly useful for us.

thanks a lot

Matt

[raboof]

Hi Matt,

You're right: the basic assumption for connbeat is that you'll be using it at both sides of the connection (necessary to determine the process information on each side), so once we establish we are listening on a certain port we don't repeat this information for each connecting client.

If you'd like to see each individual connection (rather than the more general 'connection between nodes') perhaps packetbeat might be a good fit for you? If not, I'm curious why not, and we could consider making it an option for connbeat.

Regards,

Arnout

[MattRiesterer]

Hi Arnout,

the use case is, well, let's call it "applied system archeology". This is about monitoring - usually quite old - systems to understand who's still connecting to them. Identifying the clients allows to contact their respective owners and find ways to replace the system without causing too much trouble within the corporation.
Another one is to review if opened firewall rules (by port or by remote IP address) are still used or may be removed.
Sure, there are plenty other technologies to achieve this but just installing connbeat when a ES infrastructure is already available is quite handy.

It would be great if you would consider this in a next version of connbeat.

Best regards,

Matthias

[raboof]

Have you considered packetbeat (https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-getting-started.html)? This should be almost as easy to install as connbeat (you might have to some more configuration).

I'm happy to keep this feature request open, I think it could be a reasonable thing to add. I have to warn that I'm currently quite busy with other projects and not planning to take on big additions to connbeat, though.

[MattRiesterer]

Yes, I considered packetbeat actually before looking into connbeat. It is not an option as you have to specify protocol and port there. Especially as some of the protocols we're using are not supported by packetbeat.

connbeat would really close a gap when supporting remote IP detection.

[toke]

Actually It seems to be an misunderstanding partly because of naming.

Connbeat speaks internally "incomingConnection" and "outgoingConnnection" but in reallity it's different:

• incomingConnection is a listening Socket (not connected)
• outgoingConnection is a established Connection (in or outgoing)

The resulting json has also these two different variants. A listening Socket has no remote parameters (ip or port) and an established Connection has.

I will add a pull request fixing this soon.