WARNING: Version 6.1 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 2: Configure Packetbeat
editStep 2: Configure Packetbeat
editTo configure Packetbeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at /etc/packetbeat/packetbeat.yml
. Under
Docker, it’s located at /usr/share/packetbeat/packetbeat.yml
. For mac and win,
look in the archive that you just extracted. There’s also a full example
configuration file called packetbeat.reference.yml
that shows all non-deprecated
options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
To configure Packetbeat:
-
Select the network interface from which to capture the traffic.
-
On Linux: Packetbeat supports capturing all messages sent or received by the server on which Packetbeat is installed. For this, use
any
as the device:packetbeat.interfaces.device: any
-
On OS X, capturing from the
any
device doesn’t work. You would typically use eitherlo0
oren0
depending on which traffic you want to capture. -
On Windows, run the following command to list the available network interfaces:
PS C:\Program Files\Packetbeat> .\packetbeat.exe -devices 0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)
In this example, there’s only one network card, with the index 0, installed on the system. If there are multiple network cards, remember the index of the device you want to use for capturing the traffic.
Modify the
device
line to point to the index of the device:packetbeat.interfaces.device: 0
-
-
In the protocols section, configure the ports on which Packetbeat can find each protocol. If you use any non-standard ports, add them here. Otherwise, the default values should do just fine.
packetbeat.protocols: - type: dns ports: [53] include_authorities: true include_additionals: true - type: http ports: [80, 8080, 8081, 5000, 8002] - type: memcache ports: [11211] - type: mysql ports: [3306] - type: pgsql ports: [5432] - type: redis ports: [6379] - type: thrift ports: [9090] - type: mongodb ports: [27017] - type: cassandra ports: [9042] - type: tls ports: [443]
-
If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Packetbeat can find the Elasticsearch installation:
#-------------------------- Elasticsearch output ------------------------------ output.elasticsearch: hosts: ["192.168.1.42:9200"]
If you are sending output to Logstash, make sure you Configure the Logstash output instead.
-
If you plan to use the sample Kibana dashboards provided with Packetbeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
Where
host
is the hostname and port of the machine where Kibana is running, for example,localhost:5601
.If you specify a path after the port number, you need to include the scheme and port:
http://localhost:5601/path
. -
If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Packetbeat. For example:
output.elasticsearch: hosts: ["myEShost:9200"] username: "elastic" password: "elastic" setup.kibana: host: "mykibanahost:5601" username: "elastic" password: "elastic"
The
username
andpassword
settings for Kibana are optional. If you don’t specify credentials for Kibana, Packetbeat uses theusername
andpassword
specified for the Elasticsearch output.Also see the security-related options described in Set up the Kibana endpoint and Configure the Elasticsearch output.
To test your configuration file, change to the directory where the
Packetbeat binary is installed, and run Packetbeat in the foreground with
the following options specified: sudo ./packetbeat test config -e
. Make sure
your config files are in the path expected by Packetbeat (see
Directory layout), or use the -c
flag to specify the path to the config
file. Depending on your OS, you might run into file ownership issues when you
run this test. See
Config File Ownership and Permissions
in the Beats Platform Reference for more information.
Before starting packetbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Packetbeat.