DNS traffic is displayed in Kiban, and ICMP is not present
# /etc/packetbeat/packetbeat.yml
packetbeat.interfaces.device: 1
packetbeat.protocols.dns:
ports: [53]
include_authorities: true
include_additionals: true
packetbeat.protocols.icmp:
output.elasticsearch:
hosts: ["localhost:9200"]You need to enable ICMP by adding enabled: true to the ICMP config section like this...
packetbeat.protocols.icmp:
# Enable ICMPv4 and ICMPv6 monitoring. Default: false
enabled: true
Rob
Thank you. I tried. I restarted the elastic packetbeat. Does not preserve
It looks like the idendation is off in your config for icmp.
Tell me please where you can turn it on?
The config to enable ICMP is exactly what Rob gave above. If you continue to have problems please provide your complete config file.
I apologize. Here is the complete file
# /etc/packetbeat/packetbeat.yml
packetbeat.interfaces.device: 1
packetbeat.protocols.dns:
ports: [53]
include_authorities: true
include_additionals: true
packetbeat.protocols.icmp:
enabled: true
output.elasticsearch:
hosts: ["localhost:9200"]The configuration file is YAML and indentation is critical to proper interpretation of the data. Try it like this:
packetbeat.interfaces.device: 1
packetbeat.protocols.dns:
ports: [53]
include_authorities: true
include_additionals: true
packetbeat.protocols.icmp:
enabled: true
output.elasticsearch:
hosts: ["localhost:9200"]
@andrewkroh was a little faster than me. For what it is worth I tested the results with improper indentation as @korsdecaying posted and confirmed that it will cause ICMP to not work as expected.
More about YAML indentation rules here...
http://yaml.org/spec/1.2/2009-07-21/spec.html#id2576668
As you work with Elastic Stack you will likely use YAML in a lot of places. This include configuration files, but also things like Logstash dictionary files use by the translate filter. It is definitely worth familiarizing yourself with the YAML basics.
Rob
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.