I have the following packetbeat.yml
packetbeat.flows:
period: 60s
packetbeat.interfaces.device: any
packetbeat.protocols.icmp:
enabled: true
packetbeat.protocols.amqp:
ports: [5672]
packetbeat.protocols.nfs:
ports: [2049]
packetbeat.protocols.http:
ports: [80, 8080, 8000, 5000, 8002]
output.elasticsearch:
hosts: ["...:9200"]
But for some reason I am not able to see any http-related and other fields in Kibana:
Did I do something wrong in config file?
Do you have any HTTP events with type: http in the packetbeat index? Have you check any flows with supposed HTTP port numbers exist? Have you tried to reload the index in kibana?
Does packetbeat gets to see actual unencrypted HTTP traffic? You can a dump all packets being processed by packetbeat into a pcap file for inspection with wireshark (I can't recall the CLI flag right now, just run packetbeat with -h). Enabling debug logging (-d '*') will print potential errors if HTTP parsing/processing fails.
Not sure why but this is all data I get:
{"@timestamp":"2017-06-09T19:55:00.747Z","beat":{"hostname":"host_name","name":"host_name",
"version":"5.3.0"},"dest":{"ip":"xx.xxx.xx.x","port":53,"stats":{"net_bytes_total":384,"net_packets_total":2}},
"final":false,"flow_id":"EAL/////AP////8I//8AAAEKb18FCm/uLzUAi7k","last_time":"2017-06-09T19:54:54.085Z",
"source":{"ip":"xx.xxx.xx.x","port":47499,"stats":{"net_bytes_total":174,"net_packets_total":2}},
"start_time":"2017-06-09T19:54:54.085Z","transport":"udp","type":"flow"}The flow seems to be a DNS request.
Check packetbeat logs for error or warning message. Also enable debug logging.
Have packetbeat record a pcap file for inespection with wireshark. This let's you see exactly the packets packetbeat did read from the device.
What's your full packetbeat configuration?
Do you want to monitor localhost or some other container/machine/network? Have you enabled promisc mode for you network adapter?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.