Step 2: Configuring Packetbeat

edit

To configure Packetbeat, you edit the configuration file. For rpm and deb, you’ll find the configuration file at /etc/packetbeat/packetbeat.yml. For mac and win, look in the archive that you just extracted.

To configure Packetbeat:

  1. Select the network interface from which to capture the traffic.

    • On Linux: Packetbeat supports capturing all messages sent or received by the server on which Packetbeat is installed. For this, use any as the device:

      # Select the network interfaces to sniff the data. You can use the "any"
      # keyword to sniff on all connected interfaces.
      interfaces:
        device: any
    • On OS X, capturing from the any device doesn’t work. You would typically use either lo0 or en0 depending on which traffic you want to capture.
    • On Windows, run the following command to list the available network interfaces:

      PS C:\Program Files\Packetbeat> .\packetbeat.exe -devices
      
      0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)

      In this example, there is only one network card, with the index 0, installed on the system. If there are multiple network cards, remember the index of the device you want to use for capturing the traffic.

      Modify the device line to point to the index of the device:

      interfaces:
        device: 0
  2. In the protocols section, configure the ports on which Packetbeat can find each protocol. If you use any non-standard ports, add them here. Otherwise, the default values should do just fine.

    protocols:
      dns:
        ports: [53]
    
        include_authorities: true
        include_additionals: true
    
      http:
        ports: [80, 8080, 8081, 5000, 8002]
    
      memcache:
        ports: [11211]
    
      mysql:
        ports: [3306]
    
      pgsql:
        ports: [5432]
    
      redis:
        ports: [6379]
    
      thrift:
        ports: [9090]
    
      mongodb:
        ports: [27017]
  3. Set the IP address and port where Packetbeat can find the Elasticsearch installation:

    # Configure what outputs to use when sending the data collected by the beat.
    # Multiple outputs may be used.
    output:
      ### Elasticsearch as output
      elasticsearch:
        # Array of hosts to connect to.
         hosts: ["192.168.1.42:9200"]

    If you are sending output to Logstash, see Configuring Packetbeat to Use Logstash instead.

To test your configuration file, run Packetbeat in the foreground with the following options specified: sudo ./packetbeat -configtest -e.