Mass deployment

Yatesss · September 30, 2019, 3:29pm

Hi all,

Has anyone managed to automate the deployment of packetbeat to Windows 10 machines? I can't figure out how to define the monitoring interfaces in packetbeat.yml on mass while keeping it relatively simple.

Thanks,

Michael_Madden · October 1, 2019, 8:16pm

Hello, thanks for reaching out about packetbeat on Windows 10. For the Windows 10 machines, does the output of packetbeat devices vary? Perhaps there is a pattern where you could specify the first interface like this?

packetbeat.interfaces.device: 0

https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-interfaces.html

Yatesss · October 2, 2019, 3:04pm

Thanks for your response Michael.

I've got an algorithm which seems do able although it's going to take me a while to put together.

It seems you can have any number of packetbeat.interfaces.device: as long as the device exists.

My theory is to do the following:

powershell ./packetbeat.exe devices
count the values returned
for each "device" write to packetbeat.yml packetbeat.interfaces.device: "device"
"device"++

and then run that each time the user logs in to ensure it's continuously accurate. It's messy but seems to be the the closest thing to a workaround I can pull together.

Do you have any thoughts?

Yatesss · October 3, 2019, 11:23am

I've put this together - which uses 3 separate .yml

ConfigTemplate.yml which contains the rest of the packetbeat.yml minus the interfaces.

Interfaces.yml which is a temp file used to write the interfaces to.

packetbeat.yml which is the final config file packetbeat will use.

The python script should be in the packetbeat directory along with the config .yml's

The only limitation is that it needs python on the host machines - the next stage is to see if it can be done with powershell.

Hope this helps anyone else! Any improvements are welcome!

import subprocess

devices = subprocess.check_output(["powershell.exe", "(./packetbeat.exe   devices).count"])

devicesCount = int(devices.decode('utf-8'))

print(devicesCount)

deviceCount = range(devicesCount)


with open('ConfigTemplate.yml', 'r') as original: data1 = original.read()


with open('Interfaces.yml', 'w') as modified: 

  for i in deviceCount:
    modified.write("packetbeat.interfaces.device: " + str(i)+ "\n" )


with open('Interfaces.yml', 'r') as original: data2 = original.read()


with open('Packetbeat.yml', 'w') as modified2: modified2.write("# ================== Set listening interfaces ==================" +"\n"+ data2 + "\n" + data1 + "\n")

Yatesss · October 3, 2019, 1:05pm

Powershell version -

$count = (C:\path\to\packetbeat.exe - devices).count

$line = ''


for($i=0; $i -le ($count-1); $i++){

    $line +="packetbeat.interfaces.device:"+" $i `r`n" 

    }

$line  | Out-File -FilePath "C:\path\to\packetbeat\Interfaces.yml"

$configTemplate = Get-Content -Path "C:\path\to\packetbeat\ConfigTemplate.yml"

$interfaces = Get-Content -Path "C:\path\to\packetbeat\Interfaces.yml"

$interfaces + "`r`n" + $configTemplate | Out-File -FilePath "C:\path\to\packetbeat\packet.yml"

system · October 31, 2019, 1:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.