官方安装步骤
https://www.elastic.co/guide/en/beats/packetbeat/master/packetbeat-getting-started.html
官方下载
https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-5.3.2-linux-x86_64.tar.gz
解压
tar -zxvf packetbeat-5.3.2-linux-x86_64.tar.gz
修改配置文件
packetbeat.yml
启动packetbeat
sudo ./packetbeat -e -c packetbeat.yml
后台运行:
nohup ./packetbeat -e -c packetbeat.yml > /var/log/packetbeat.log &
手动加载packetbeat模版
curl -H ‘Content-Type: application/json’ -XPUT ‘http://localhost:9200/_template/packetbeat’ -d@/server/packetbeat/packetbeat.template.json
如果之前安装过,可先卸载:
If you’ve already used Packetbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from packetbeat-* to force Kibana to look at the newest documents. Use this command:
curl -XDELETE 'http://localhost:9200/packetbeat-*'
增加http头信息
packetbeat.protocols.http:
# Configure the ports where to listen for HTTP traffic. You can disable
# the HTTP protocol by commenting out the list of ports.
ports: [80, 8080, 8000, 5000, 8002]
send_request: true
send_response: true
重启后,http包即包含request与response信息
参考字段配置文章,包含http、mongodb等信息:
http://www.ttlsa.com/elk/elk-packetbeat-protocols-and-processes-configure-options/
导入预置面板
在安装Packetbeat的目录下,找到导入面板的脚本,并运行。
运行后,可在Kibana中打开,查看预置面板http://127.0.0.1:5601
From the directory where you installed Packetbeat, run the import_dashboards script.
./scripts/import_dashboards