Step 4: Starting Packetbeatedit

Run Packetbeat by issuing the following command:

deb:

sudo /etc/init.d/packetbeat start

rpm:

sudo /etc/init.d/packetbeat start

mac:

sudo ./packetbeat -e -c packetbeat.yml -d "publish"

win:

PS C:\Program Files\Packetbeat> Start-Service packetbeat

By default the log files are stored in C:\ProgramData\packetbeat\Logs.

Testing the Packetbeat Installationedit

Packetbeat is now ready to capture data from your network traffic. You can test that it works by creating a simple HTTP request. For example:

curl http://www.elastic.co/ > /dev/null

Now verify that the data is present in Elasticsearch by issuing the following command:

curl -XGET 'http://localhost:9200/packetbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance. The command should return data about the HTTP transaction you just created.