Step 4: Starting Packetbeatedit

Run Packetbeat by issuing the command that is appropriate for your platform.

Note

If you use an init.d script to start Packetbeat on deb or rpm, you can’t specify command line flags (see Command Line Options). To specify flags, start Packetbeat in the foreground.

deb:

sudo /etc/init.d/packetbeat start

rpm:

sudo /etc/init.d/packetbeat start

mac:

sudo ./packetbeat -e -c packetbeat.yml -d "publish"

win:

PS C:\Program Files\Packetbeat> Start-Service packetbeat

By default the log files are stored in C:\ProgramData\packetbeat\Logs.

Testing the Packetbeat Installationedit

Packetbeat is now ready to capture data from your network traffic. You can test that it works by creating a simple HTTP request. For example:

curl http://www.elastic.co/ > /dev/null

Now verify that the data is present in Elasticsearch by issuing the following command:

curl -XGET 'http://localhost:9200/packetbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance. The command should return data about the HTTP transaction you just created.