1. 介绍
packbeat是一个开源的实时网络抓包与分析框架,内置了很多常见的协议捕获及解析,如HTTP、MySQL、Redis等。在实际使用中,通常和Elasticsearch以及kibana联合使用,用于数据搜索和分析以及数据展示。
目前Packebeat支持的协议如下:
ICMP (v4 and v6)
DNS
HTTP
Mysql
PostgreSQL
Redis
Thrift-RPC
MongoDB
Memcache
==========================================================================================
Packetbeat可以运行在应用服务器上或者独自的服务器。当运行在独自服务器上时,需要从交换机的镜像端口或者窃听设备上获取网络流量。
2. 安装packetbeat
1) 安装packetbeat
[root@web01 ~]# rpm -ivh packetbeat-7.4.0-x86_64.rpm
2) 配置packetbeat
[root@web01 ~]# cat /etc/packetbeat/packetbeat.yml
#监控所有的网卡流量
packetbeat.interfaces.device: eth0
packetbeat.flows:
timeout: 30s
period: 10s
packetbeat.protocols:
- type: icmp
enabled: true
- type: dns
ports: [53]
- type: http
ports: [80, 8080, 8000, 5000, 8002]
- type: mysql
ports: [3306,3307]
- type: redis
ports: [6379]
- type: nfs
ports: [2049]
- type: tls
ports:
- 443 # HTTPS
- 993 # IMAPS
- 995 # POP3S
- 5223 # XMPP over SSL
- 8443
- 8883 # Secure MQTT
- 9243 # Elasticsearch
setup.kibana:
host: "10.0.0.161:5601"
output.elasticsearch:
hosts: ["10.0.0.161:9200","10.0.0.162:9200","10.0.0.163:9200"]
3) 重启packetbeat
[root@web01 ~]# systemctl restart packetbeat
4) 初始化环境
[root@web01 ~]# packetbeat -e setup