WARNING: Version 1.2 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 2: Configuring Packetbeat
editStep 2: Configuring Packetbeat
editTo configure Packetbeat, you edit the configuration file. For rpm and deb, you’ll
find the configuration file at /etc/packetbeat/packetbeat.yml
. For mac and win, look in
the archive that you just extracted.
To configure Packetbeat:
-
Select the network interface from which to capture the traffic.
-
On Linux: Packetbeat supports capturing all messages sent or received by the server on which Packetbeat is installed. For this, use
any
as the device:# Select the network interfaces to sniff the data. You can use the "any" # keyword to sniff on all connected interfaces. interfaces: device: any
-
On OS X, capturing from the
any
device doesn’t work. You would typically use eitherlo0
oren0
depending on which traffic you want to capture. -
On Windows, run the following command to list the available network interfaces:
PS C:\Program Files\Packetbeat> .\packetbeat.exe -devices 0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)
In this example, there is only one network card, with the index 0, installed on the system. If there are multiple network cards, remember the index of the device you want to use for capturing the traffic.
Modify the
device
line to point to the index of the device:interfaces: device: 0
-
-
In the protocols section, configure the ports on which Packetbeat can find each protocol. If you use any non-standard ports, add them here. Otherwise, the default values should do just fine.
protocols: dns: ports: [53] include_authorities: true include_additionals: true http: ports: [80, 8080, 8081, 5000, 8002] memcache: ports: [11211] mysql: ports: [3306] pgsql: ports: [5432] redis: ports: [6379] thrift: ports: [9090] mongodb: ports: [27017]
-
Set the IP address and port where Packetbeat can find the Elasticsearch installation:
# Configure what outputs to use when sending the data collected by the beat. # Multiple outputs may be used. output: ### Elasticsearch as output elasticsearch: # Array of hosts to connect to. hosts: ["192.168.1.42:9200"]
If you are sending output to Logstash, see Configuring Packetbeat to Use Logstash instead.
To test your configuration file, run Packetbeat in the foreground with the following options specified:
sudo ./packetbeat -configtest -e
.