Load packetbeat Dashboard into Kibana with localhost access only

VamPikmin · June 6, 2019, 12:46am

I can't seem to get this right.

If I have the ELK stack running in Linux and I want to load the packetbeat dashboard from a remote Windows host

The issue however is that elasticsearch and kibana are only accessible locally so I can't use packetbeat.exe to load as it requires direct access to elasticsearch?

I should mention that my Windows packbeat output goes to logstash not elasticsearch

If I install packetbeat on the ELK stack host, I don't want to run packetbeat on it, it actually loads the dashboards and another instance of packetbeat-* index however the id's are wrong and I can't use these visualisations

What am I doing wrong, how can I get this working properly?

MarianaD · June 6, 2019, 8:35am

hi @VamPikmin, it seems that even when you are exclusively using the logstash output you will still need to connect to es to load the dashboards (https://www.elastic.co/guide/en/beats/packetbeat/master/load-kibana-dashboards.html#load-dashboards-logstash).
Were you using the same index pattern when installing the local packetbeat instance (as the one running on Windows)?
If you set the configuration setting setup.dashboards.index when installing the local packetbeat instance with the same index pattern as the one used on your remote packetbeat instance are you getting any results? (more on this setting here https://www.elastic.co/guide/en/beats/filebeat/current/configuration-dashboards.html)
Also, have you set a custom index pattern name on the remote packetbeat instance, if so, what are the reasons?

VamPikmin · June 6, 2019, 10:07am

Hi Mariana,
Thanks for your reply

Here's my logstash config

input {
  beats {
port => 5044
  }
}

filter {

 geoip {
 add_tag => [ "GeoIP-DST" ]
 source => "[destination][ip]"
 }

 geoip {
 add_tag => [ "GeoIP-SRC"]
 source => "[source][ip]"
 }


geoip {
  database => "/etc/logstash/GeoLite2-ASN.mmdb"
  source => "[destination][ip]"
  }

  geoip {
  database => "/etc/logstash/GeoLite2-ASN.mmdb"
  source => "[source][ip]"
  }
}

output {
  #stdout { codec => rubydebug }

elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" 
  }
}

I added this to the server packetbeat.yaml
setup.dashboards.index: packetbeat-*

Soon as I run packetbeat setup dashboards I end up with a second index

curl -XGET localhost:9200/_cat/indices/packetbeat*
green open packetbeat-7.1.1-2019.06.06-000001 uFgcJX8cRkWIJPS3Q2hLzg 1 0 0 0 283b 283b
green open packetbeat-7.1.1-2019.06.06 xili0s10RAyDxHE-0bOiDQ 1 0 6804 0 2.7mb 2.7mb

Under Kibana management I have two packetbeat-* indexes, ones is set up as favourite and the new one is also set up for ILM, same as when I tried before specifying the index in yaml

Remote windows packetbeat yaml uses default settings apart from the output going to logstash instead of the default elasticsearch

It's late here but will try again tomorrow.

Can I set up Custom index pattern ID when the index gets created using packetbeat?

system · July 4, 2019, 10:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.