WARNING: Version 1.2 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 3: Loading the Index Template in Elasticsearchedit
Before starting Packetbeat, you need to load the index template, which lets Elasticsearch know which fields should be analyzed in which way.
The recommended template file is installed by the Packetbeat packages. You can either configure Packetbeat to load the template automatically, or you can run a shell command to load the template:
Configuring Packetbeat to Load the Templateedit
To configure Packetbeat to load the template, you must enable the elasticsearch output. In the Packetbeat configuration file, uncomment the template part under elasticsearch output. By default the template is named packetbeat. Adjust the path to your template file.
output:
elasticsearch:
hosts: ["localhost:9200"]
# A template is used to set the mapping in Elasticsearch
# By default template loading is disabled and no template is loaded.
# These settings can be adjusted to load your own template or overwrite existing ones
template:
# Template name. By default the template name is packetbeat.
#name: "packetbeat"
# Path to template file
path: "packetbeat.template.json"
# Overwrite existing template
#overwrite: false
The template is loaded when you start Packetbeat. By default, if a template
already exists in the index, it is not overwritten. To overwrite an existing template,
set overwrite: true in the configuration file.
Running a Shell Command to Load the Templateedit
You can load the template by running the following command:
deb or rpm:
curl -XPUT 'http://localhost:9200/_template/packetbeat' -d@/etc/packetbeat/packetbeat.template.json
mac:
cd packetbeat-1.2.3-darwin curl -XPUT 'http://localhost:9200/_template/packetbeat' -d@packetbeat.template.json
win:
PS C:\Program Files\Packetbeat> Invoke-WebRequest -Method Put -InFile packetbeat.template.json -Uri http://localhost:9200/_template/packetbeat?pretty
where localhost:9200 is the IP and port where Elasticsearch is listening.
If you’ve already used Packetbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from packetbeat-* to force Kibana to look at the newest documents. Use this command:
curl -XDELETE 'http://localhost:9200/packetbeat-*'