Step 4: Starting Packetbeatedit

Run Packetbeat by issuing the command that is appropriate for your platform.


If you use an init.d script to start Packetbeat on deb or rpm, you can’t specify command line flags (see Command Line Options). To specify flags, start Packetbeat in the foreground.


sudo /etc/init.d/packetbeat start


sudo /etc/init.d/packetbeat start


sudo chown root packetbeat.yml 
sudo ./packetbeat -e -c packetbeat.yml -d "publish"

You’ll be running Packetbeat as root, so you need to change ownership of the configuration file (see Config File Ownership and Permissions in the Beats Platform Reference).


PS C:\Program Files\Packetbeat> Start-Service packetbeat

By default the log files are stored in C:\ProgramData\packetbeat\Logs.

Testing the Packetbeat Installationedit

Packetbeat is now ready to capture data from your network traffic. You can test that it works by creating a simple HTTP request. For example:

curl > /dev/null

Now verify that the data is present in Elasticsearch by issuing the following command:

curl -XGET 'http://localhost:9200/packetbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance. The command should return data about the HTTP transaction you just created.