Packetbeat installation issues

Elastic Stack Beats
1

I have installed Elastic search and Kibana on Fedora 27 and got them to work. But I would like to do network monitoring with packetbeat. When I follow the rpm install instructions as per : https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation.html
The bin file gets installed under /etc/packetbeat but the packetbeat.yml file under /home/user/packetbeat.
then I was unable to run ./packetbeat to import index or set up dashboards. as they weren't in the same dir.

So I downloaded the linux tar file extracted that to a dir in the /home/usr and hey presto the .yml and bin files were in the same dir so I could run a few commands. But now I can't import index nor the dashboard. Yes I have x-pack installed and yes I have set the usernames and password in the yml accordingly?

All help appreciated.

2

Which packetbeat version have you installed?

You changed packetbeat version when using the tarball?

How exactly do you run packetbeat by now?

Can you try to run packetbeat in foreground with -e -v -d '*' to print debug logs? Please share debug logs

3

That was done on a clean install on Fedora 27 so no upgrade just the version as per install instructions from: curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-6.1.1-amd64.deb so it would be version 6.1.1. I have now formatted the hard drive that it was installed on but later today I will be installing Ubuntu desktop and then try again and see if the .yml file is in the same dir as bin.
Can you please explain a bit more as to how to get the debug log files? ./packetbeat -e -v -d '*'. Would this then print the log to the terminal?

4

Right, A fresh install of Ubuntu 16.04.3 only sudo apt-get updates and upgrade run. NO other install e.g kibana or x-pack. then run
sudo apt-get install libpcap0.8
sudo yum install curl
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-6.1.1-amd64.deb
sudo dpkg -i packetbeat-6.1.1-amd64.deb
etc_packetbeatuser share
etc_packetbeatuser share

and as per screenshot the .yml file and bin files are in different dir .yml in /etc/packetbeat
bin in /usr/share/packetbeat

5

That's correct. The binary and other files are stored in /usr/share/packetbeat, while the config files are stored in /etc/packetbeat. For linux installs using rpm/deb we also install a packetbeat wrapper script into /usr/bin, configuring the correct paths. Don't run packetbeat from /usr/share/packetbeat/bin. You can set the config file to use via -c <path/to/config/file>.

6

Hi Steffen

Really appreciate your help on this, but I am as confused as ever regarding this apology I am a newbie to packetbeat I must admit. What is this wrapper script called in /usr/bin?

And how would I set the path? and what to set it too? via -c <path/to/config/file>

Reagrds

Harry

7

With 6.1 the wrapper script is called packetbeat (given you installed via rpm/deb packet). That is, do not switch to /usr/share/packetbeat/bin and don't run ./packetbeat from this directory.

The script provided in /usr/bin/packetbeat sets up the path and will run /usr/share/packetbeat/bin/packetbeat -c /etc/packetbeat/packetbeat.yml for you.

Just switch to your home directory and test packetbeat by running:

$ packetbeat -e -v -d '*'

This will start packetbeat in debug mode.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.