Hello, beats wizards.
I will greatly appreciate help in making packetbeats work.
I have the following configuration.
An Ubuntu-based sensor with two interfaces (management and sniffing) is running packetbeat version 1.1.2 (386). It is configured to send network capture data to the host with ELK stack, running logstash (version 2.2.2), over port 5044/tcp. Logstash is configured to forward the data to Elasticsearch (version 1.4.4). When I start packetbeat on the sensor, no "packetbeat-" index is being created in Elasticsearch. I have followed the recommendations on how to enable beats on ELK server.
Here is packetbeat configuration on the sensor (I took the lines with # sign out):
interfaces:
device: eth4
snaplen: 1514
protocols:
dns:
ports: [53]
include_authorities: true
include_additionals: true
http:
ports: [80, 800, 8080, 8000, 5000, 8002]
send_all_headers: true
split_cookie: true
memcache:
mysql:
pgsql:
redis:
thrift:
mongodb:
output:
elasticsearch:
hosts: ["10.1.5.199:5044"]
compression_level: 0
index: packetbeat
shipper:
logging:
to_files: true
files:
path: /var/log/mybeat
name: mybeat.log
rotateeverybytes: 10485760 # = 10MB
keepfiles: 7
Here is logstash configuration:
input {
beats {
port => 5044
type => "packetbeat"
}
}
output {
if [type] == "packetbeat" {
stdout { codec => rubydebug }
elasticsearch {
hosts => "127.0.0.1:9200"
# sniffing => true
manage_template => false
index => "packetbeat-%{+YYYY.MM.dd}"
document_type => "packetbeat"
}
}
}
When I ran tcpdump on port 5044, I see the sensor connecting to the ELK server, but not sending the actual data, just the "HEAD" probes:
HEAD / HTTP/1.1
When I configure packetbeat to output into the file on the sensor, I see network packet data being logged. However, when logstash is configured as the output, the data is not being sent across. Could you let me know what I am doing wrong?
No errors are in logstash.err, logstash.log files. logstash.stdout file is empty.
Thanks a lot!