Packetbeat 5.0 doesn't export http traffic or Kibana doesn't display it

Elastic Stack Beats
1

Hello,

I follow the configuration guideline, but seems I am missing something. I need to display http post/request in Kibana, but only thing that I can see is dest and source ip addresses.

Any help is much appreciated.

Here is the configuration.

packetbeat.yml:
enabled: true
ports: [80, 8080, 8000, 5000, 8002]
send_all_headers: true
include_body_for: ["text/html","text/xml"]
send_request: true
send_response: true

packetbeat.template.json
"http": {
"properties": {
"request": {
"properties": {
"body": {
"norms": false,
"type": "text"
},
"params": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response": {
"properties": {
"body": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"phrase": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},

packetbeat.template-es2x.json:
"http": {
"properties": {
"request": {
"properties": {
"body": {
"index": "analyzed",
"norms": {
"enabled": false
},
"type": "string"
},
"params": {
"ignore_above": 1024,
"index": "not_analyzed",
"type": "string"
}
}
},
"response": {
"properties": {
"body": {
"ignore_above": 1024,
"index": "not_analyzed",
"type": "string"
},
"code": {
"ignore_above": 1024,
"index": "not_analyzed",
"type": "string"
},
"phrase": {
"ignore_above": 1024,
"index": "not_analyzed",
"type": "string"
}
}
}
}
},

2

It seems that the problem solved after running packetbeat/scripts/import_dashboards

After that script .kibana index has packetbeat index. Which is weird why would Kibana index would need index-pattern from packetbeat to show http packets in Kibana.

    "_index": ".kibana",
    "_type": "index-pattern",
    "_id": "packetbeat-*",
    "_score": 1,
    "_source": {
      "title": "packetbeat-*",
      "timeFieldName": "@timestamp",
      "fields":
3

You need the index pattern definition in Kibana simply to be able to select the right index. Perhaps you were looking in another index?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.