Packetbeat quick start: installation and configuration


Packetbeat quick start: installation and configurationedit

The best way to understand the value of a network packet analytics system like Packetbeat is to try it on your own traffic.

This guide describes how to get started quickly with network packets analytics. You’ll learn how to:

  • install Packetbeat on each system you want to monitor
  • specify the network devices and protocols to sniff
  • parse the packet data into fields and send it to Elasticsearch
  • visualize the packet data in Kibana
Packetbeat Overview dashboard

Before you beginedit

  • You need Elasticsearch for storing and searching your data, and Kibana for visualizing and managing it.

    To get started quickly, spin up a deployment of our hosted Elasticsearch Service. The Elasticsearch Service is available on AWS, GCP, and Azure. Try it out for free.

  • On most platforms, Packetbeat requires the libpcap packet capture library. Depending on your OS, you might need to install it:

    sudo apt-get install libpcap0.8

Step 1: Install Packetbeatedit

You can install Packetbeat on dedicated servers, getting the traffic from mirror ports or tap devices, or you can install it on your existing application servers.

To download and install Packetbeat, use the commands that work with your system:

curl -L -O
sudo dpkg -i packetbeat-7.16.3-amd64.deb

Other installation optionsedit

Step 2: Connect to the Elastic Stackedit

Connections to Elasticsearch and Kibana are required to set up Packetbeat.

Set the connection information in packetbeat.yml. To locate this configuration file, see Directory layout.

Specify the of your Elasticsearch Service, and set cloud.auth to a user who is authorized to set up Packetbeat. For example: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "packetbeat_setup:YOUR_PASSWORD" 

This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

To learn more about required roles and privileges, see Grant users access to secured resources.

You can send data to other outputs, such as Logstash, but that requires additional configuration and setup.

Step 3: Configure sniffingedit

In packetbeat.yml, configure the network devices and protocols to capture traffic from.

  1. Set the sniffer type. By default, Packetbeat uses pcap, which uses the libpcap library and works on most platforms.

    On Linux, set the sniffer type to af_packet to use memory-mapped sniffing. This option is faster than libpcap and doesn’t require a kernel module, but it’s Linux-specific:

    packetbeat.interfaces.type: af_packet
  2. Specify the network device to capture traffic from. For example:

    packetbeat.interfaces.device: eth0

    On Linux, specify packetbeat.interfaces.device: any to capture all messages sent or received by the server where Packetbeat is installed. The any setting does not work on macOS.

    To see a list of available devices, run:

    packetbeat devices

    For more information about these settings, see Traffic sniffing.

  3. In the protocols section, configure the ports where Packetbeat can find each protocol. If you use any non-standard ports, add them here. Otherwise, use the default values.

    - type: dhcpv4
      ports: [67, 68]
    - type: dns
      ports: [53]
    - type: http
      ports: [80, 8080, 8081, 5000, 8002]
    - type: memcache
      ports: [11211]
    - type: mysql
      ports: [3306,3307]
    - type: pgsql
      ports: [5432]
    - type: redis
      ports: [6379]
    - type: thrift
      ports: [9090]
    - type: mongodb
      ports: [27017]
    - type: cassandra
      ports: [9042]
    - type: tls
      ports: [443, 993, 995, 5223, 8443, 8883, 9243]

To test your configuration file, change to the directory where the Packetbeat binary is installed, and run Packetbeat in the foreground with the following options specified: sudo ./packetbeat test config -e. Make sure your config files are in the path expected by Packetbeat (see Directory layout), or use the -c flag to specify the path to the config file. Depending on your OS, you might run into file ownership issues when you run this test. See Config File Ownership and Permissions for more information.

For more information about configuring Packetbeat, also see:

Step 4: Set up assetsedit

Packetbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:

  1. Make sure the user specified in packetbeat.yml is authorized to set up Packetbeat.
  2. From the installation directory, run:

    packetbeat setup -e

    -e is optional and sends output to standard error instead of the configured log output.

This step loads the recommended index template for writing to Elasticsearch and deploys the sample dashboards for visualizing the data in Kibana.

A connection to Elasticsearch (or Elasticsearch Service) is required to set up the initial environment. If you’re using a different output, such as Logstash, see Load the index template manually and Load Kibana dashboards.

Step 5: Start Packetbeatedit

Before starting Packetbeat, modify the user credentials in packetbeat.yml and specify a user who is authorized to publish events.

To start Packetbeat, run:

sudo service packetbeat start

If you use an init.d script to start Packetbeat, you can’t specify command line flags (see Command reference). To specify flags, start Packetbeat in the foreground.

Also see Packetbeat and systemd.

Packetbeat should begin streaming data to Elasticsearch.

Step 6: View your data in Kibanaedit

Packetbeat comes with pre-built Kibana dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the setup command.

To open the dashboards:

  1. Launch Kibana:

    1. Log in to your Elastic Cloud account.
    2. Navigate to the Kibana endpoint in your deployment.
  2. In the side navigation, click Discover. To see Packetbeat data, make sure the predefined packetbeat-* index pattern is selected.

    If you don’t see data in Kibana, try changing the time filter to a larger range. By default, Kibana shows the last 15 minutes.

  3. In the side navigation, click Dashboard, then select the dashboard that you want to open.

The dashboards are provided as examples. We recommend that you customize them to meet your needs.

To populate the client locations map in the overview dashboard, follow the steps described in Enrich events with geoIP information.

What’s next?edit

Now that you have your data streaming into Elasticsearch, learn how to unify your logs, metrics, uptime, and application performance data.

  1. Ingest data from other sources by installing and configuring other Elastic Beats:

    Elastic Beats To capture


    Infrastructure metrics




    Windows event logs


    Uptime information


    Application performance metrics


    Audit events

  2. Use the Observability apps in Kibana to search across all your data:

    Elastic apps Use to

    Metrics app

    Explore metrics about systems and services across your ecosystem

    Logs app

    Tail related log data in real time

    Uptime app

    Monitor availability issues across your apps and services

    APM app

    Monitor application performance

    SIEM app

    Analyze security events