Load ingest pipelines

edit

Packetbeat modules are implemented using Elasticsearch ingest node pipelines. The events receive their transformations within Elasticsearch. The ingest node pipelines must be loaded into Elasticsearch. This can happen one of several ways.

On connection to Elasticsearch

edit

Packetbeat will send ingest pipelines automatically to Elasticsearch if the Elasticsearch output is enabled.

Make sure the user specified in packetbeat.yml is authorized to set up Packetbeat.

If Packetbeat is sending events to Logstash or another output you need to load the ingest pipelines with the setup command or manually.

Manually install pipelines

edit

Pipelines can be loaded them into Elasticsearch with the _ingest/pipeline REST API call. The user making the REST API call will need to have the ingest_admin role assigned to them.