Configuring Packetbeatedit

Before starting Packetbeat, you need to edit the configuration file. For rpm and deb, you’ll find the configuration file at /etc/packetbeat/packetbeat.yml. For mac and win, look in the archive that you just extracted.

To configure Packetbeat:

  1. Select the network interface from which to capture the traffic.

    • On Linux: Packetbeat supports capturing all messages sent or received by the server on which Packetbeat is installed. For this, use any as the device:

        # Select on which network interfaces to sniff. You can use the "any"
        # keyword to sniff on all connected interfaces.
        device: any
    • On OS X, capturing from the any device doesn’t work. You would typically use either lo0 or en0 depending on which traffic you want to capture.
    • On Windows, run the following command to list the available network interfaces:

      PS C:\Program Files\Packetbeat> .\packetbeat.exe -devices
      0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)

      In this example, there is only one network card, with the index 0, installed on the system. If there are multiple network cards, remember the index of the device you want to use for capturing the traffic.

      Modify the device line to point to the index of the device:

        device: 0
  2. In the protocols section, configure the ports on which Packetbeat can find each protocol. If you use any non-standard ports, add them here. Otherwise, the default values should do just fine.

      # Configure which protocols to monitor and on which ports are they
      # running. You can disable a given protocol by commenting out its
      # configuration.
        ports: [80, 8080, 8081, 5000, 8002]
        ports: [11211]
        ports: [3306]
        ports: [6379]
        ports: [5432]
        ports: [9090]
  3. Set the IP address and port where Packetbeat can find the Elasticsearch installation:

        # Uncomment out this option if you want to output to Elasticsearch. The
        # default is false.
        enabled: true
        # Set the host and port where to find Elasticsearch.
        port: 9200
        # Uncomment this option and set it to true if you want to store the topology in
        # Elasticsearch. Default behavior if this setting is left out of the
        # config file is equivalent to setting "save_topology" to "false"
        #save_topology: false