Elastic Stack : Install Packetbeat2025/10/16 |
|
Install Packetbeat that collects and analyze Network packets. |
|
| [1] | Install Packetbeat. Configure Elasticsearch repository before it. |
|
root@dlp:~# apt -y install packetbeat
|
| [2] | Configure basic settings and start Packetbeat. |
|
root@dlp:~#
vi /etc/packetbeat/packetbeat.yml # line 58 : set items to collect data # if disable ICMPv4/ICMPv6, turn to false # line 68 and later : many items are targeted as monitoring by default, # but if not need, comment out the line [ports: ***] packetbeat.protocols: - type: icmp # Enable ICMPv4 and ICMPv6 monitoring. Default: false enabled: true - type: amqp # Configure the ports where to listen for AMQP traffic. You can disable # the AMQP protocol by commenting out the list of ports. ports: [5672] ..... ..... # line 181 : if use Kibana, uncomment and specify output host # if SSL is enabled on Kibana, hostname should be the same with the hostname in certs # [username] and [password] is the admin user's one # if using self-signed certificate, specify [ssl.verification_mode: none] setup.kibana: ..... host: "https://dlp.srv.world:5601" protocol: "https" username: "elastic" password: "password" ssl.enabled: true ssl.verification_mode: none # line 217 : specify output of Elasticsearch # [username] and [password] is the admin user's one # [ssl.certificate_authorities] is the cacert generated by Elasticsearch installation output.elasticsearch: # Array of hosts to connect to. hosts: ["https://dlp.srv.world:9200"] protocol: "https" #api_key: "id:api_key" username: "elastic" password: "password" ssl.certificate_authorities: "/etc/elasticsearch/certs/http_ca.crt" ..... .....
root@dlp:~#
vi /etc/packetbeat/packetbeat.reference.yml # line 1864 : if use Kibana, uncomment and specify output host # if SSL is enabled on Kibana, uncomment ssl related lines # [username] and [password] is the admin user's one # if using self-signed certificate, specify [ssl.verification_mode: none] setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 host: "https://dlp.srv.world:5601" # Optional protocol and basic auth credentials. protocol: "https" username: "elastic" password: "password" # Optional HTTP Path #path: "" # Use SSL settings for HTTPS. Default is true. ssl.enabled: true ..... ..... # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. # The default value is full. ssl.verification_mode: noneroot@dlp:~# systemctl enable --now packetbeat
|
| [3] | Verify status the data has been collected normally. |
|
# index list root@dlp:~# curl -u elastic --cacert /etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200/_cat/indices?v Enter host password for user 'elastic' health status index uuid pri rep docs.count docs.deleted store.size pri.store.size dataset.size green open .internal.alerts-transform.health.alerts-default-000001 WYIrcziPSB61k_EjlRvNWA 1 0 0 0 249b 249b 249b yellow open .ds-metricbeat-9.1.5-2025.10.16-000001 iFHmlkWqQYuxJeK9LM5nNA 1 1 1798 0 2.3mb 2.3mb 2.3mb green open .internal.alerts-observability.logs.alerts-default-000001 AWecw7NwQuGi6NSUH8d5hA 1 0 0 0 249b 249b 249b green open .internal.alerts-observability.uptime.alerts-default-000001 B69GpuDOTteviBM8maoY9w 1 0 0 0 249b 249b 249b green open .internal.alerts-ml.anomaly-detection.alerts-default-000001 kB22vDWkRsiGMn2uwjz7pQ 1 0 0 0 249b 249b 249b green open .internal.alerts-observability.slo.alerts-default-000001 RdloOOlgTq-xz9iaWKTYXw 1 0 0 0 249b 249b 249b green open .internal.alerts-default.alerts-default-000001 O3rAr2zSQR-cwJcyFUTRBw 1 0 0 0 249b 249b 249b green open .internal.alerts-streams.alerts-default-000001 TmcpmlgvTACt9RLIO3ewjA 1 0 0 0 249b 249b 249b green open .internal.alerts-observability.apm.alerts-default-000001 Bb2-R3ctRw-DR0UX3ohWgw 1 0 0 0 249b 249b 249b green open .internal.alerts-security.attack.discovery.alerts-default-000001 Zr0KNzeVRLyRyhu4FIsmfg 1 0 0 0 249b 249b 249b yellow open .ds-packetbeat-9.1.5-2025.10.16-000001 JG5URGXZSz65riuKhGU02A 1 1 136 0 227.9kb 227.9kb 227.9kb green open .internal.alerts-observability.metrics.alerts-default-000001 s9kwcco-SKKkQUElzx0sDw 1 0 0 0 249b 249b 249b green open .internal.alerts-ml.anomaly-detection-health.alerts-default-000001 EtkLfH1fTP2AdYngE3dH8Q 1 0 0 0 249b 249b 249b green open .internal.alerts-observability.threshold.alerts-default-000001 I576fuZFQ-We6AT7DOjrIQ 1 0 0 0 249b 249b 249b green open .internal.alerts-security.alerts-default-000001 HfszRaZ5TtafW3W9kDH5Ow 1 0 0 0 249b 249b 249b green open .internal.alerts-dataset.quality.alerts-default-000001 9SiuGdcAQnCl6DI-HRLowg 1 0 0 0 249b 249b 249b yellow open test_index 9JxiZ5C7QXq2fC1UliIOCA 1 1 1 0 6.7kb 6.7kb 6.7kb green open .internal.alerts-stack.alerts-default-000001 x0vSiLWjSPSdiKgDj1WEBA 1 0 0 0 249b 249b 249b # document list on the index root@dlp:~# curl -u elastic --cacert /etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200/.ds-packetbeat-9.1.5-2025.10.16-000001/_search?pretty
Enter host password for user 'elastic':
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 490,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : ".ds-packetbeat-9.1.5-2025.10.16-000001",
"_id" : "FDNw6pkBV9tUpIIApEHB",
"_score" : 1.0,
"_source" : {
"server" : {
"port" : 53,
"bytes" : 87,
"ip" : "10.0.0.10"
},
"agent" : {
"name" : "dlp.srv.world",
"id" : "77ee35a0-fa34-4c00-a93c-b1b87be53201",
"ephemeral_id" : "8161020a-790e-437b-aa90-957472c97e14",
.....
.....
|
| [4] | If Kibana is running, it's possible to import data to sample Dashboards. |
|
root@dlp:~# packetbeat setup --dashboards Loading dashboards (Kibana must be running and reachable) Loaded dashboards |
|
|
Matched Content