Step 2: Configure Packetbeatedit

To configure Packetbeat, you edit the configuration file. For rpm and deb, you’ll find the configuration file at /etc/packetbeat/packetbeat.yml. Under Docker, it’s located at /usr/share/packetbeat/packetbeat.yml. For mac and win, look in the archive that you just extracted. There’s also a full example configuration file called packetbeat.reference.yml that shows all non-deprecated options.

Tip

See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

To configure Packetbeat:

  1. Select the network interface from which to capture the traffic.

    • On Linux: Packetbeat supports capturing all messages sent or received by the server on which Packetbeat is installed. For this, use any as the device:

      packetbeat.interfaces.device: any
    • On OS X, capturing from the any device doesn’t work. You would typically use either lo0 or en0 depending on which traffic you want to capture.
    • On Windows, run the following command to list the available network interfaces:

      PS C:\Program Files\Packetbeat> .\packetbeat.exe devices
      
      0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)

      In this example, there’s only one network card, with the index 0, installed on the system. If there are multiple network cards, remember the index of the device you want to use for capturing the traffic.

      Modify the device line to point to the index of the device:

      packetbeat.interfaces.device: 0
  2. In the protocols section, configure the ports on which Packetbeat can find each protocol. If you use any non-standard ports, add them here. Otherwise, the default values should do just fine.

    packetbeat.protocols:
    
    - type: dns
      ports: [53]
    
      include_authorities: true
      include_additionals: true
    
    - type: http
      ports: [80, 8080, 8081, 5000, 8002]
    
    - type: memcache
      ports: [11211]
    
    - type: mysql
      ports: [3306]
    
    - type: pgsql
      ports: [5432]
    
    - type: redis
      ports: [6379]
    
    - type: thrift
      ports: [9090]
    
    - type: mongodb
      ports: [27017]
    
    - type: cassandra
      ports: [9042]
    
    - type: tls
      ports: [443]
  3. Configure the output. Packetbeat supports a variety of outputs, but typically you’ll either send events directly to Elasticsearch, or to Logstash for additional processing.

    To send output directly to Elasticsearch (without using Logstash), set the location of the Elasticsearch installation:

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your Cloud ID. For example:

      cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
    • If you’re running Elasticsearch on your own hardware, set the host and port where Packetbeat can find the Elasticsearch installation. For example:

      output.elasticsearch:
        hosts: ["myEShost:9200"]

    To send output to Logstash, Configure the Logstash output instead. For all other outputs, see Configure the output.

  4. If you plan to use the sample Kibana dashboards provided with Packetbeat, configure the Kibana endpoint. You can skip this step if Kibana is running on the same host as Elasticsearch.

    setup.kibana:
      host: "mykibanahost:5601" 

    The hostname and port of the machine where Kibana is running, for example, mykibanahost:5601. If you specify a path after the port number, include the scheme and port: http://mykibanahost:5601/path.

  5. If Elasticsearch and Kibana are secured, set credentials in the packetbeat.yml config file before you run the commands that set up and start Packetbeat.

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your cloud auth credentials. For example:

      cloud.auth: "elastic:YOUR_PASSWORD"
    • If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:

      output.elasticsearch:
        hosts: ["myEShost:9200"]
        username: "filebeat_internal"
        password: "YOUR_PASSWORD" 
      setup.kibana:
        host: "mykibanahost:5601"
        username: "my_kibana_user"  
        password: "YOUR_PASSWORD"

      This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

      The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Packetbeat uses the username and password specified for the Elasticsearch output.

      If you are planning to set up the Kibana dashboards, the user must have the kibana_user built-in role or equivalent privileges.

      For more information, see Securing Packetbeat.

Tip

To test your configuration file, change to the directory where the Packetbeat binary is installed, and run Packetbeat in the foreground with the following options specified: sudo ./packetbeat test config -e. Make sure your config files are in the path expected by Packetbeat (see Directory layout), or use the -c flag to specify the path to the config file. Depending on your OS, you might run into file ownership issues when you run this test. See Config File Ownership and Permissions in the Beats Platform Reference for more information.

Before starting Packetbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Packetbeat.