- Packetbeat Reference: other versions:
- Overview
- Get started
- Set up and run
- Upgrade Packetbeat
- Configure
- Traffic sniffing
- Network flows
- Protocols
- Processes
- General settings
- Project paths
- Output
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decompress_gzip_field
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- registered_domain
- rename
- translate_sid
- truncate_fields
- Internal queue
- Logging
- HTTP endpoint
- packetbeat.reference.yml
- How to guides
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- Detailed TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitor
- Secure
- Visualize Packetbeat data in Kibana
- Troubleshoot
- Get help
- Debug
- Record a trace
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Packetbeat doesn’t see any packets when using mirror ports
- Packetbeat can’t capture traffic from Windows loopback interface
- Packetbeat is missing long running transactions
- Packetbeat isn’t capturing MySQL performance data
- Packetbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- Fields show up as nested JSON in Kibana
- Contribute to Beats
Secure communication with Elasticsearch
editSecure communication with Elasticsearch
editTo secure the communication between Packetbeat and Elasticsearch, you can use HTTPS and basic authentication. Basic authentication for Elasticsearch is available when you enable X-Pack security (see Secure a cluster and Use security features). If you aren’t using X-Pack security, you can use a web proxy instead.
Here is a sample configuration:
output.elasticsearch: username: packetbeat password: verysecret protocol: https hosts: ["elasticsearch.example.com:9200"]
|
The username to use for authenticating to Elasticsearch. |
|
|
The password to use for authenticating to Elasticsearch. |
|
|
This setting enables the HTTPS protocol. |
|
|
The IP and port of the Elasticsearch nodes. |
To obfuscate passwords and other sensitive settings, use the secrets keystore.
Packetbeat verifies the validity of the server certificates and only accepts trusted certificates. Creating a correct SSL/TLS infrastructure is outside the scope of this document.
By default Packetbeat uses the list of trusted certificate authorities from the operating system where Packetbeat is running. You can configure Packetbeat to use a specific list of CA certificates instead of the list from the OS. You can also configure it to use client authentication by specifying the certificate and key to use when the server requires the Packetbeat to authenticate. Here is an example configuration:
output.elasticsearch: username: packetbeat password: verysecret protocol: https hosts: ["elasticsearch.example.com:9200"] ssl.certificate_authorities: - /etc/pki/my_root_ca.pem - /etc/pki/my_other_ca.pem ssl.certificate: "/etc/pki/client.pem" ssl.key: "/etc/pki/key.pem"
|
The list of CA certificates to trust |
|
|
The path to the certificate for SSL client authentication |
|
|
The client certificate key |
For any given connection, the SSL/TLS certificates must have a subject
that matches the value specified for hosts, or the SSL handshake fails.
For example, if you specify hosts: ["foobar:9200"], the certificate MUST
include foobar in the subject (CN=foobar) or as a subject alternative name
(SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then
you can associate the IP address with your hostname in /etc/hosts
(on Unix) or C:\Windows\System32\drivers\etc\hosts (on Windows).