Running Packetbeat on Docker

edit

Running Packetbeat on Docker

edit

Docker images for Packetbeat are available from the Elastic Docker registry. You can retrieve an image with a docker pull command.

docker pull docker.elastic.co/beats/packetbeat:5.5.3

The base image is centos:7 and the source code can be found on GitHub.

Configuring Packetbeat on Docker

edit

The Docker image provides several methods for configuring Packetbeat. The conventional approach is to provide a configuration file via a bind-mounted volume, but it’s also possible to create a custom image with your configuration included.

Bind-Mounted Configuration

edit

One way to configure Packetbeat on Docker is to provide packetbeat.yml via bind-mounting. With docker run, the bind-mount can be specified like this:

docker run \
  -v ~/packetbeat.yml:/usr/share/packetbeat/packetbeat.yml \
  docker.elastic.co/beats/packetbeat:5.5.3

Custom Image Configuration

edit

It’s possible to embed your Packetbeat configuration in a custom image. Here is an example Dockerfile to achieve this:

FROM docker.elastic.co/beats/packetbeat:5.5.3
COPY packetbeat.yml /usr/share/packetbeat/packetbeat.yml
USER root
RUN chown packetbeat /usr/share/packetbeat/packetbeat.yml
USER packetbeat