Running in the Foreground and Enabling Debuggingedit

By default, Packetbeat sends all its output to syslog. You can use the -e command line flag to redirect the output to standard error instead:

packetbeat -e

The default configuration file is /etc/packetbeat/packetbeat.yml. You can use a different file by using the -c flag:

packetbeat -e -c /etc/packetbeat/packetbeat.yml

You can increase the verbosity of debug messages by enabling one or more debug selectors. For example, to view the published transactions, you can start Packetbeat like this:

packetbeat -e -d "publish"

You can enable multiple debug selectors by separating them with commas. For example, if you want to also see the mysql parsing messages, run:

packetbeat -e -c /etc/packetbeat/packetbeat.conf -d "publish,mysql,mysqldetailed"

Here is the list of commonly used debug selectors:

  • http
  • httpdetailed
  • ip
  • mysql
  • mysqldetailed
  • pcapfilter
  • pcapread
  • pgsql
  • pgsqldetailed
  • procs
  • procsdetailed
  • publish
  • redis
  • sockets
  • tcp
  • thrift
  • thriftdetailed

If you want all the debugging output (fair warning, it’s quite a lot), you can use *, like this:

packetbeat -e -d "*"