linux环境
packetbeat Doc: https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation.html
1.下载并安装packetbeat安装包
2.配置packetbeat.yml
监听的device
#============================== Network device ================================
# Select the network interface to sniff the data. On Linux, you can use the
# "any" keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: any
配置协议 type ports
#========================== Transaction protocols =============================
packetbeat.protocols:
- type: icmp
# Enable ICMPv4 and ICMPv6 monitoring. Default: false
enabled: true- type: amqp
# Configure the ports where to listen for AMQP traffic. You can disable
# the AMQP protocol by commenting out the list of ports.
ports: [5672]- type: cassandra
#Cassandra port for traffic monitoring.
ports: [9042]- type: dns
# Configure the ports where to listen for DNS traffic. You can disable
# the DNS protocol by commenting out the list of ports.
ports: [53]# include_authorities controls whether or not the dns.authorities field
# (authority resource records) is added to messages.
include_authorities: true# include_additionals controls whether or not the dns.additionals field
# (additional resource records) is added to messages.
include_additionals: true
配置输出
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["*.*.*.*:9200"]# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["*.*.*.*:5044"]# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
3.运行package
./packetbeat
后台运行
nohub ./packebeat >log.txt 2>&1 &