Cannot get all fields in Kibana

I have the following packetbeat.yml

  period: 60s

packetbeat.interfaces.device: any

  enabled: true

  ports: [5672]

  ports: [2049]

  ports: [80, 8080, 8000, 5000, 8002]

  hosts: ["...:9200"]

But for some reason I am not able to see any http-related and other fields in Kibana:

Did I do something wrong in config file?

Do you have any HTTP events with type: http in the packetbeat index? Have you check any flows with supposed HTTP port numbers exist? Have you tried to reload the index in kibana?

Does packetbeat gets to see actual unencrypted HTTP traffic? You can a dump all packets being processed by packetbeat into a pcap file for inspection with wireshark (I can't recall the CLI flag right now, just run packetbeat with -h). Enabling debug logging (-d '*') will print potential errors if HTTP parsing/processing fails.

Not sure why but this is all data I get:


The flow seems to be a DNS request.

Check packetbeat logs for error or warning message. Also enable debug logging.

Have packetbeat record a pcap file for inespection with wireshark. This let's you see exactly the packets packetbeat did read from the device.

What's your full packetbeat configuration?

Do you want to monitor localhost or some other container/machine/network? Have you enabled promisc mode for you network adapter?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.