- Packetbeat Reference: other versions:
- Overview
- Getting Started With Packetbeat
- Running Packetbeat on Docker
- Upgrading Packetbeat
- Configuring Packetbeat
- Configuration Options (Reference)
- Processors
- Setting Traffic Capturing Options
- Filtering and Enhancing the Exported Data
- Configuring Packetbeat to Use Ingest Node
- Exporting GeoIP Information
- Configuring Packetbeat to Use Logstash
- Configuring Flows to Monitor Network Traffic
- Using Environment Variables in the Configuration
- Configuring Thrift-RPC Support
- Maintaining the Real-Time State of the Network Topology
- YAML Tips and Gotchas
- Exported Fields
- AMQP Fields
- Beat Fields
- Cassandra Fields
- Cloud Provider Metadata Fields
- Common Fields
- DNS Fields
- Flow Event Fields
- HTTP Fields
- ICMP Fields
- Memcache Fields
- MongoDb Fields
- MySQL Fields
- NFS Fields
- PostgreSQL Fields
- Raw Fields
- Redis Fields
- Thrift-RPC Fields
- Transaction Event Fields
- Measurements (Transactions) Fields
- Securing Packetbeat
- Visualizing Packetbeat Data in Kibana
- Troubleshooting
- Developer Guide: Adding a New Protocol
WARNING: Version 5.4 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Running Packetbeat on Docker
editRunning Packetbeat on Docker
editDocker images for Packetbeat are available from the Elastic Docker
registry. You can retrieve an image with a docker pull command.
docker pull docker.elastic.co/beats/packetbeat:5.4.3
The base image is centos:7 and the source code can be found on GitHub.
Configuring Packetbeat on Docker
editThe Docker image provides several methods for configuring Packetbeat. The conventional approach is to provide a configuration file via a bind-mounted volume, but it’s also possible to create a custom image with your configuration included.
Bind-Mounted Configuration
editOne way to configure Packetbeat on Docker is to provide packetbeat.yml via bind-mounting.
With docker run, the bind-mount can be specified like this:
docker run \ -v ~/packetbeat.yml:/usr/share/packetbeat/packetbeat.yml \ docker.elastic.co/beats/packetbeat:5.4.3
Custom Image Configuration
editIt’s possible to embed your Packetbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
FROM docker.elastic.co/beats/packetbeat:5.4.3 COPY packetbeat.yml /usr/share/packetbeat/packetbeat.yml USER root RUN chown packetbeat /usr/share/packetbeat/packetbeat.yml USER packetbeat