Hi all
After spending few days trying to get logstash working for
codec => netflow {
versions => [5,9,10]
}
I gave up because although tcpdump was able to see the flow data being received. Logstash was listening but not capturing/writing. I came across packetbeat and decided to use that.
I have followed packetbeat official documentation but still unable to get it working. It has been overwhelming hence I want to start fresh on the newly build server for testing with minimal setup.
Can someone please advise if
- As the documentation suggest at https://www.elastic.co/guide/en/beats/packetbeat/current/load-kibana-dashboards.html
Am I ok just to have only packetbeat and Kibana installed and view the live tcpdump data from an ethernet interface. Or Elasticsearch and Logstash are also required? - I want to view the output using Kibana API webpage from the server capturing tcpdump which is accessible via an ip address only (not able to console). Which configuration directive needs changing with the ip address of the server in config file of packetbeat or Kibana?
- post a minimal sample config for basic setup
Current server is running CentOS Linux 7 (Core) with the following
elasticsearch.noarch 6.2.3-1 installed
filebeat.x86_64 6.2.3-1 @logstash-6.x
logstash.noarch 1:6.2.3-1 @logstash-6.x
packetbeat.x86_64 6.2.3-1 @logstash-6.x
kibana.x86_64 6.2.3-1 installed