Step 5: Start Packetbeatedit

Run Packetbeat by issuing the command that is appropriate for your platform. If you are accessing a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Packetbeat.

If you use an init.d script to start Packetbeat on deb or rpm, you can’t specify command line flags (see Packetbeat commands). To specify flags, start Packetbeat in the foreground.

deb:

sudo service packetbeat start

rpm:

sudo service packetbeat start

docker:

docker run docker.elastic.co/beats/packetbeat:6.1.4

mac:

sudo chown root packetbeat.yml 
sudo ./packetbeat -e -c packetbeat.yml -d "publish"

You’ll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with -strict.perms=false specified. See Config File Ownership and Permissionsin the Beats Platform Reference.

win:

PS C:\Program Files\Packetbeat> Start-Service packetbeat

By default the log files are stored in C:\ProgramData\packetbeat\Logs.

Test the Packetbeat installationedit

Packetbeat is now ready to capture data from your network traffic. You can test that it works by creating a simple HTTP request. For example:

curl http://www.elastic.co/ > /dev/null

Now verify that the data is present in Elasticsearch by issuing the following command:

curl -XGET 'http://localhost:9200/packetbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance. The command should return data about the HTTP transaction you just created.