Packetbeat doesn't start on windonws

Maher_Ben_Taleb_Ali · May 20, 2016, 4:12pm

Hi,

I just installed packetbeat on windows.
and I tested it on ubutnu with the same configs and it worked fine.

I am using the standard config.
I when I use Start-Service packetbeat. it doesn't work, and there is no log file.

Note that I have restrictions on my PowerShell and I when I start I make it 'Set-ExecutionPolicy unrestricted'.

Is there any clue?
If any other information is needed, just ask me.

Thank you!

andrewkroh · May 20, 2016, 4:20pm

Try running Packetbeat in the foreground from a console and not as a service. This will hopefully provide you with an error that you can correct.

PS > .\packetbeat.exe -c packetbeat.yml -e -v -d "*"

https://www.elastic.co/guide/en/beats/packetbeat/current/_getting_help.html

Maher_Ben_Taleb_Ali · May 20, 2016, 5:44pm

It's seems working well on the terminal. It shows all the data .

But in elasticsearch I get 0 hits : http://localhost:9200/packetbeat-*/_search?

output:

Elasticsearch as output

elasticsearch:
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
hosts: ["localhost:9200"]

andrewkroh · May 20, 2016, 11:52pm

Can you please post some logs from Packetbeat.

Maher_Ben_Taleb_Ali · May 23, 2016, 8:12am

Sorry for taking a lot of time.

it seems that there are some data in the logs...

Maher_Ben_Taleb_Ali · May 23, 2016, 1:42pm

Hi,
I got the problem!!

packetbeat is working well, but data are sent too late to logstash. (about 4 min later)
what seems to me, that on windows , packetbeat is analysing a lot of udp packets.
I only configured the http protocol in the .yml

I really need help

andrewkroh · May 23, 2016, 2:36pm

The one screenshot you posted contained an warning that occurred while indexing an event to Elasticsearch. It says that it cannot index the event (status=400)... No handler for type [keyword] declared on field real_ip.

What version of Elasticsearch are you using? By default, Packetbeat 5.x expects you to be using Elasticsearch 5.x and it installs an index template that is only compatible with ES 5.x. You need to stop Packetbeat, delete the index template, delete the index, install the correct index template, and then restart Packetbeat.

Stop Packetbeat.
Change the config file to point to the template for ES 2.x. Set the path to point to packetbeat.template-es2x.json which is included with the download.
Delete the index template.
Delete the packetbeat indexes you created.
Start up Packetbeat which will install the ES 2.x index template

Are you sure you don't have flows enabled -- Configure flows to monitor network traffic | Packetbeat Reference [master] | Elastic

This would cause Packetbeat to capture everything.