I used packetbeat to sniff queries sent to a elasticsearch cluster, this is for customers who wish to check the type of queries sent by their users. While testing this it's apparent that packetbeat is using + for encoding space and as result params can not be decoded with the standard urldecode plugin for logstash.

example of what packetbeat sends

{ "_index": "packetbeat-2016.07.28", "_type": "http", "_id": "AVYyKZCa8jLTqroK27jr", "_score": 2.6520326, "_source": { "@timestamp": "2016-07-28T15:39:59.917Z", "beat": { "hostname": "ip-10-255-4-167.eu-west-1.compute.internal", "name": "ip-10-255-4-167.eu-west-1.compute.internal" }, "bytes_in": 522, "bytes_out": 208, "client_ip": "10.255.5.101", "client_port": 49594, "client_proc": "", "client_server": "", "count": 1, "direction": "in", "http": { "code": 200, "content_length": 121, "phrase": "OK" }, "ip": "10.255.4.167", "method": "POST", "params": "%7B%0A+++%22query%22%3A+%7B%0A++++++%22match_all%22%3A+%7B%7D%0A+++%7D%0A%7D%0A=", "path": "/packetbeat-*/_search", "port": 9200, "proc": "", "query": "POST /packetbeat-*/_search", "responsetime": 7, "server": "", "status": "OK", "type": "http" } } ] }

For confirmed bugs, please report:

• Version: 1.2.3
• Operating System: Redhat
• Steps to Reproduce:
  1- Install packetbeat on your test elasticsearch cluster hosts.
  2- configure it to sniff http port 9200 and send the data to a monitoring elasticsearch cluster or if not available the same cluster.
  3- send search queries to the initial cluster.
  4- look at the events sent by packetbeat in packetbeat-* index and you will see documents similar to above.