WARNING: Version 6.1 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Packetbeat commands
editPacketbeat commands
editPacketbeat provides a command-line interface for running the Beat and performing common tasks, like testing configuration files and loading dashboards. The command-line also supports global flags for controlling global behaviors.
Use sudo
to run the following commands if:
-
the config file is owned by
root
, or -
Packetbeat is configured to capture data that requires
root
access
Exports the configuration or index template to stdout. |
|
Shows help for any command. |
|
Runs Packetbeat. This command is used by default if you start Packetbeat without specifying a command. |
|
Sets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available). |
|
Tests the configuration. |
|
Shows information about the current version. |
Also see Global flags.
export
command
editExports the configuration or index template to stdout. You can use this command to quickly view your configuration or the contents of the index template.
SYNOPSIS
packetbeat export SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
config
-
Exports the current configuration to stdout. If you use the
-c
flag, this command exports the configuration that’s defined in the specified file.
-
template
-
Exports the index template to stdout. You can specify the
--es.version
and--index
flags to further define what gets exported.
FLAGS
-
--es.version VERSION
-
When specified along with
template
, exports an index template that is compatible with the specified version. -
-h, --help
-
Shows help for the
export
command. -
--index BASE_NAME
-
When specified along with
template
, sets the base name to use for the index template. If this flag is not specified, the default base name ispacketbeat
.
Also see Global flags.
EXAMPLES
packetbeat export config packetbeat export template --es.version 6.1.4 --index myindexname
help
command
editShows help for any command. If no command is specified, shows help for the
run
command.
SYNOPSIS
packetbeat help COMMAND_NAME [FLAGS]
-
COMMAND_NAME
- Specifies the name of the command to show help for.
FLAGS
-
-h, --help
-
Shows help for the
help
command.
Also see Global flags.
EXAMPLE
packetbeat help export
run
command
editRuns Packetbeat. This command is used by default if you start Packetbeat without specifying a command.
SYNOPSIS
packetbeat run [FLAGS]
Or:
packetbeat [FLAGS]
FLAGS
-
-I, --I FILE
-
Reads packet data from the specified file instead of reading packets from the network. This option is useful only for testing Packetbeat.
packetbeat run -I ~/pcaps/network_traffic.pcap
-
-N, --N
- Disables the publishing of events to the defined output. This option is useful only for testing Packetbeat.
-
-O, --O
- Read packets one by one by pressing Enter after each. This option is useful only for testing Packetbeat.
-
--cpuprofile FILE
- Writes CPU profile data to the specified file. This option is useful for troubleshooting Packetbeat.
-
-devices
- Prints the list of devices that are available for sniffing and then exits.
-
-dump FILE
- Writes all captured packets to the specified file. This option is useful for troubleshooting Packetbeat.
-
-h, --help
-
Shows help for the
run
command. -
--httpprof [HOST]:PORT
- Starts an http server for profiling. This option is useful for troubleshooting and profiling Packetbeat.
-
-l N
-
Reads the pcap file
N
number of times. The default is 1. Use this option in combination with the-I
option. For an infinite loop, use 0. The-l
option is useful only for testing Packetbeat. -
--memprofile FILE
- Writes memory profile data to the specified output file. This option is useful for troubleshooting Packetbeat.
-
--setup
-
Loads the sample Kibana dashboards. If you want to load the dashboards without
running Packetbeat, use the
setup
command instead. -
-t
-
Reads packets from the pcap file as fast as possible without sleeping. Use this
option in combination with the
-I
option. The-t
option is useful only for testing Packetbeat.
Also see Global flags.
EXAMPLE
packetbeat run -e --setup
Or:
packetbeat -e --setup
setup
command
editSets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available).
- The index template ensures that fields are mapped correctly in Elasticsearch.
- The Kibana dashboards make it easier for you to visualize Packetbeat data in Kibana.
- The machine learning jobs contain the configuration information and metadata necessary to analyze data for anomalies.
Use this command instead of run --setup
when you want to set up the
environment without actually running Packetbeat and ingesting data.
SYNOPSIS
packetbeat setup [FLAGS]
FLAGS
-
--dashboards
- Sets up the Kibana dashboards only.
-
-h, --help
-
Shows help for the
setup
command. -
--machine-learning
- Sets up machine learning job configurations only.
-
--template
- Sets up the index template only.
Also see Global flags.
EXAMPLE
packetbeat setup --dashboards
test
command
editTests the configuration.
SYNOPSIS
packetbeat test SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
config
- Tests the configuration settings.
-
output
- Tests that Packetbeat can connect to the output by using the current settings.
FLAGS
-
-h, --help
-
Shows help for the
test
command.
Also see Global flags.
EXAMPLE
packetbeat test config
version
command
editShows information about the current version.
SYNOPSIS
packetbeat version [FLAGS]
FLAGS
-
-h, --help
-
Shows help for the
version
command.
Also see Global flags.
EXAMPLE
packetbeat version
Global flags
editThese global flags are available whenever you run Packetbeat.
-
-E, --E "SETTING_NAME=VALUE"
-
Overrides a specific configuration setting. You can specify multiple overrides. For example:
packetbeat -E "name=mybeat" -E "output.elasticsearch.hosts=["http://myhost:9200"]"
This setting is applied to the currently running Packetbeat process. The Packetbeat configuration file is not changed.
-
-c, --c FILE
-
Specifies the configuration file to use for Packetbeat. The file you specify
here is relative to
path.config
. If the-c
flag is not specified, the default config file,packetbeat.yml
, is used. -
-d, --d SELECTORS
-
Enables debugging for the specified selectors. For the selectors, you can
specify a comma-separated
list of components, or you can use
-d "*"
to enable debugging for all components. For example,-d "publish"
displays all the "publish" related messages. -
-e, --e
- Logs to stderr and disables syslog/file output.
-
--path.config
- Sets the path for configuration files. See the Directory layout section for details.
-
--path.data
- Sets the path for data files. See the Directory layout section for details.
-
--path.home
- Sets the path for miscellaneous files. See the Directory layout section for details.
-
--path.logs
- Sets the path for log files. See the Directory layout section for details.
-
--strict.perms
-
Sets strict permission checking on configuration files. The default is
-strict.perms=true
. See Config file ownership and permissions in the Beats Platform Reference for more information. -
-v, --v
- Logs INFO-level messages.