Running Packetbeat on Dockeredit

Docker images for Packetbeat are available from the Elastic Docker registry. You can retrieve an image with a docker pull command.

docker pull docker.elastic.co/beats/packetbeat:5.6.16

The base image is centos:7 and the source code can be found on GitHub.

Configuring Packetbeat on Dockeredit

The Docker image provides several methods for configuring Packetbeat. The conventional approach is to provide a configuration file via a bind-mounted volume, but it’s also possible to create a custom image with your configuration included.

Bind-Mounted Configurationedit

One way to configure Packetbeat on Docker is to provide packetbeat.yml via bind-mounting. With docker run, the bind-mount can be specified like this:

docker run \
  -v ~/packetbeat.yml:/usr/share/packetbeat/packetbeat.yml \
  docker.elastic.co/beats/packetbeat:5.6.16

Custom Image Configurationedit

It’s possible to embed your Packetbeat configuration in a custom image. Here is an example Dockerfile to achieve this:

FROM docker.elastic.co/beats/packetbeat:5.6.16
COPY packetbeat.yml /usr/share/packetbeat/packetbeat.yml
USER root
RUN chown packetbeat /usr/share/packetbeat/packetbeat.yml
USER packetbeat