- Packetbeat Reference: other versions:
- Packetbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Packetbeat
- Configure
- Traffic sniffing
- Network flows
- Protocols
- Processes
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- Feature flags
- packetbeat.reference.yml
- How to guides
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- SIP fields
- Thrift-RPC fields
- Detailed TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitor
- Secure
- Visualize Packetbeat data in Kibana
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Record a trace
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Packetbeat doesn’t see any packets when using mirror ports
- Packetbeat can’t capture traffic from Windows loopback interface
- Packetbeat is missing long running transactions
- Packetbeat isn’t capturing MySQL performance data
- Packetbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Fields show up as nested JSON in Kibana
- Contribute to Beats
Packetbeat command reference
editPacketbeat command reference
editPacketbeat provides a command-line interface for starting Packetbeat and performing common tasks, like testing configuration files and loading dashboards.
The command-line also supports global flags for controlling global behaviors.
Use sudo
to run the following commands if:
-
the config file is owned by
root
, or -
Packetbeat is configured to capture data that requires
root
access
Some of the features described here require an Elastic license. For more information, see https://www.elastic.co/subscriptions and License Management.
Commands | |
---|---|
Exports the configuration, index template, ILM policy, or a dashboard to stdout. |
|
Shows help for any command. |
|
Manages the secrets keystore. |
|
Runs Packetbeat. This command is used by default if you start Packetbeat without specifying a command. |
|
Sets up the initial environment, including the index template, ILM policy and write alias, and Kibana dashboards (when available). |
|
Tests the configuration. |
|
Shows information about the current version. |
Also see Global flags.
export
command
editExports the configuration, index template, ILM policy, or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template and the ILM policy, or export a dashboard from Kibana.
SYNOPSIS
packetbeat export SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
config
-
Exports the current configuration to stdout. If you use the
-c
flag, this command exports the configuration that’s defined in the specified file. -
dashboard
-
Exports a dashboard. You can use this option to store a dashboard on disk in a module and load it automatically. For example, to export the dashboard to a JSON file, run:
packetbeat export dashboard --id="DASHBOARD_ID" > dashboard.json
To find the
DASHBOARD_ID
, look at the URL for the dashboard in Kibana. By default,export dashboard
writes the dashboard to stdout. The example shows how to write the dashboard to a JSON file so that you can import it later. The JSON file will contain the dashboard with all visualizations and searches. You must load the index pattern separately for Packetbeat.To load the dashboard, copy the generated
dashboard.json
file into thekibana/6/dashboard
directory of Packetbeat, and runpacketbeat setup --dashboards
to import the dashboard.If Kibana is not running on
localhost:5061
, you must also adjust the Packetbeat configuration undersetup.kibana
. -
template
-
Exports the index template to stdout. You can specify the
--es.version
flag to further define what gets exported. Furthermore you can export the template to a file instead ofstdout
by defining a directory via--dir
.
-
ilm-policy
-
Exports the index lifecycle management policy to stdout. You can specify the
--es.version
and a--dir
to which the policy should be exported as a file rather than exporting tostdout
.
FLAGS
-
--es.version VERSION
-
When used with
template
, exports an index template that is compatible with the specified version. When used withilm-policy
, exports the ILM policy if the specified ES version is enabled for ILM. -
-h, --help
-
Shows help for the
export
command. -
--dir DIRNAME
-
Define a directory to which the template, pipelines, and ILM policy
should be exported to as files instead of printing them to
stdout
. -
--id DASHBOARD_ID
-
When used with
dashboard
, specifies the dashboard ID.
Also see Global flags.
EXAMPLES
packetbeat export config packetbeat export template --es.version 8.17.0 packetbeat export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json
help
command
editShows help for any command.
If no command is specified, shows help for the run
command.
SYNOPSIS
packetbeat help COMMAND_NAME [FLAGS]
-
COMMAND_NAME
- Specifies the name of the command to show help for.
FLAGS
-
-h, --help
-
Shows help for the
help
command.
Also see Global flags.
EXAMPLE
packetbeat help export
keystore
command
editManages the secrets keystore.
SYNOPSIS
packetbeat keystore SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
add KEY
-
Adds the specified key to the keystore. Use the
--force
flag to overwrite an existing key. Use the--stdin
flag to pass the value throughstdin
. -
create
-
Creates a keystore to hold secrets. Use the
--force
flag to overwrite the existing keystore. -
list
- Lists the keys in the keystore.
-
remove KEY
- Removes the specified key from the keystore.
FLAGS
-
--force
-
Valid with the
add
andcreate
subcommands. When used withadd
, overwrites the specified key. When used withcreate
, overwrites the keystore. -
--stdin
-
When used with
add
, uses the stdin as the source of the key’s value. -
-h, --help
-
Shows help for the
keystore
command.
Also see Global flags.
EXAMPLES
packetbeat keystore create
packetbeat keystore add ES_PWD
packetbeat keystore remove ES_PWD
packetbeat keystore list
See Secrets keystore for more examples.
run
command
editRuns Packetbeat. This command is used by default if you start Packetbeat without specifying a command.
SYNOPSIS
packetbeat run [FLAGS]
Or:
packetbeat [FLAGS]
FLAGS
-
-I, --I FILE
-
Reads packet data from the specified file instead of reading packets from the network. This option is useful only for testing Packetbeat.
packetbeat run -I ~/pcaps/network_traffic.pcap
-
-N, --N
- Disables publishing for testing purposes. This option disables all outputs except the File output.
-
-O, --O
- Read packets one by one by pressing Enter after each. This option is useful only for testing Packetbeat.
-
--cpuprofile FILE
- Writes CPU profile data to the specified file. This option is useful for troubleshooting Packetbeat.
-
-devices
- Prints the list of devices that are available for sniffing and then exits.
-
-dump FILE
- Writes all captured packets to the specified file. This option is useful for troubleshooting Packetbeat.
-
-h, --help
-
Shows help for the
run
command. -
--httpprof [HOST]:PORT
- Starts an http server for profiling. This option is useful for troubleshooting and profiling Packetbeat.
-
-l N
-
Reads the pcap file
N
number of times. The default is 1. Use this option in combination with the-I
option. For an infinite loop, use 0. The-l
option is useful only for testing Packetbeat. -
--memprofile FILE
- Writes memory profile data to the specified output file. This option is useful for troubleshooting Packetbeat.
-
--system.hostfs MOUNT_POINT
-
Specifies the mount point of the host’s filesystem for use in monitoring a host.
This flag is depricated, and an alternate hostfs should be specified via the
hostfs
module config value. -
-t
-
Reads packets from the pcap file as fast as possible without sleeping. Use this
option in combination with the
-I
option. The-t
option is useful only for testing Packetbeat.
Also see Global flags.
EXAMPLE
packetbeat run -e
Or:
packetbeat -e
setup
command
editSets up the initial environment, including the index template, ILM policy and write alias, and Kibana dashboards (when available)
- The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc.
- The Kibana dashboards make it easier for you to visualize Packetbeat data in Kibana.
This command sets up the environment without actually running Packetbeat and ingesting data. Specify optional flags to set up a subset of assets.
SYNOPSIS
packetbeat setup [FLAGS]
FLAGS
-
--dashboards
- Sets up the Kibana dashboards (when available). This option loads the dashboards from the Packetbeat package. For more options, such as loading customized dashboards, see Importing Existing Beat Dashboards in the Beats Developer Guide.
-
-h, --help
-
Shows help for the
setup
command. -
--index-management
- Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured).
Also see Global flags.
EXAMPLES
packetbeat setup --dashboards packetbeat setup --index-management
test
command
editTests the configuration.
SYNOPSIS
packetbeat test SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
config
- Tests the configuration settings.
-
output
- Tests that Packetbeat can connect to the output by using the current settings.
FLAGS
-
-h, --help
-
Shows help for the
test
command.
Also see Global flags.
EXAMPLE
packetbeat test config
version
command
editShows information about the current version.
SYNOPSIS
packetbeat version [FLAGS]
FLAGS
-
-h, --help
-
Shows help for the
version
command.
Also see Global flags.
EXAMPLE
packetbeat version
Global flags
editThese global flags are available whenever you run Packetbeat.
-
-E, --E "SETTING_NAME=VALUE"
-
Overrides a specific configuration setting. You can specify multiple overrides. For example:
packetbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
This setting is applied to the currently running Packetbeat process. The Packetbeat configuration file is not changed.
-
-c, --c FILE
-
Specifies the configuration file to use for Packetbeat. The file you specify
here is relative to
path.config
. If the-c
flag is not specified, the default config file,packetbeat.yml
, is used. -
-d, --d SELECTORS
-
Enables debugging for the specified selectors. For the selectors, you can
specify a comma-separated
list of components, or you can use
-d "*"
to enable debugging for all components. For example,-d "publisher"
displays all the publisher-related messages. -
-e, --e
- Logs to stderr and disables syslog/file output.
-
--environment
-
For logging purposes, specifies the environment that Packetbeat is running in.
This setting is used to select a default log output when no log output is configured.
Supported values are:
systemd
,container
,macos_service
, andwindows_service
. Ifsystemd
orcontainer
is specified, Packetbeat will log to stdout and stderr by default. -
--path.config
- Sets the path for configuration files. See the Directory layout section for details.
-
--path.data
- Sets the path for data files. See the Directory layout section for details.
-
--path.home
- Sets the path for miscellaneous files. See the Directory layout section for details.
-
--path.logs
- Sets the path for log files. See the Directory layout section for details.
-
--strict.perms
-
Sets strict permission checking on configuration files. The default is
-strict.perms=true
. See Config file ownership and permissions for more information. -
-v, --v
- Logs INFO-level messages.
On this page