Packetbeat not sending logs to Logstash

Elastic Stack Beats
1

Alright, the most basic potential problem.

I have packetbeat on an Arch Linux system, the beats package for Arch is currently 8.1.3. my ELK stack server is running 8.2x

I don't believe this is the problem because the docs say that this version of packetbeat is compatible with the version of Logstash I am running. I wanted to put this here anyways, just incase.

This is my Logstash configuration, it is working for Filebeat, but not packetbeat.
(Do I need a seperate config file for each Beats I am using?)

Another note, Filebeat is running on the ELK server, whereas Packetbeat is on a seperate system (but located on the same network)

input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://10.0.0.48:9200"
      pipeline => "%{[@metadata][pipeline]}"
      #user => "elastic"
      #password => "password"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
    }
  } else {
    elasticsearch {
      hosts => "10.0.0.48"
      #user => "elastic"
      #password => "password"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
    }
  }
}

Checking real time journal for packetbeat it doesnt appear as if it is getting any information

journalctl --follow -u packetbeat.service
Jun 30 14:07:29 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:07:59 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:08:29 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:08:59 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:09:29 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:09:59 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:10:29 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:10:59 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:11:29 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549
Jun 30 14:11:59 scarecrow packetbeat[26549]: fetching V2 controller: []string{"memory", "pids\n"} for pid 26549

Packet beat configuration file is:

#################### Packetbeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The packetbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/packetbeat/index.html

# =============================== Network device ===============================

# Select the network interface to sniff the data. On Linux, you can use the
# "any" keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: any
packetbeat.interfaces.type: af_packet


# The network CIDR blocks that are considered "internal" networks for
# the purpose of network perimeter boundary classification. The valid
# values for internal_networks are the same as those that can be used
# with processor network conditions.
#
# For a list of available values see:
# https://www.elastic.co/guide/en/beats/packetbeat/current/defining-processors.html#condition-network
packetbeat.interfaces.internal_networks:
  - unspecified

# =================================== Flows ====================================

# Set `enabled: false` or comment out all options to disable flows reporting.
packetbeat.flows:

  enabled: true 
  # Set network flow timeout. Flow is killed if no packet is received before being
  # timed out.
  timeout: 30s

  # Configure reporting period. If set to -1, only killed flows will be reported
  period: 10s

# =========================== Transaction protocols ============================

packetbeat.protocols:
- type: icmp
  # Enable ICMPv4 and ICMPv6 monitoring. The default is true.
  enabled: true

- type: amqp
  # Configure the ports where to listen for AMQP traffic. You can disable
  # the AMQP protocol by commenting out the list of ports.
  ports: [5672]

- type: cassandra
  # Configure the ports where to listen for Cassandra traffic. You can disable
  # the Cassandra protocol by commenting out the list of ports.
  ports: [9042]

- type: dhcpv4
  # Configure the DHCP for IPv4 ports.
  ports: [67, 68]

- type: dns
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
  ports: [53]

- type: http
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [80, 8080, 8000, 5000, 8002]

- type: memcache
  # Configure the ports where to listen for memcache traffic. You can disable
  # the Memcache protocol by commenting out the list of ports.
  ports: [11211]

- type: mysql
  # Configure the ports where to listen for MySQL traffic. You can disable
  # the MySQL protocol by commenting out the list of ports.
  ports: [3306,3307]

- type: pgsql
  # Configure the ports where to listen for Pgsql traffic. You can disable
  # the Pgsql protocol by commenting out the list of ports.
  ports: [5432]

- type: redis
  # Configure the ports where to listen for Redis traffic. You can disable
  # the Redis protocol by commenting out the list of ports.
  ports: [6379]

- type: thrift
  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
  # the Thrift-RPC protocol by commenting out the list of ports.
  ports: [9090]

- type: mongodb
  # Configure the ports where to listen for MongoDB traffic. You can disable
  # the MongoDB protocol by commenting out the list of ports.
  ports: [27017]

- type: nfs
  # Configure the ports where to listen for NFS traffic. You can disable
  # the NFS protocol by commenting out the list of ports.
  ports: [2049]

- type: tls
  # Configure the ports where to listen for TLS traffic. You can disable
  # the TLS protocol by commenting out the list of ports.
  ports: [443, 993, 995, 5223, 8443, 8883, 9243]
  #  - 443   # HTTPS
  #  - 993   # IMAPS
  #  - 995   # POP3S
  #  - 5223  # XMPP over SSL
  #  - 8443
  #  - 8883  # Secure MQTT
  #  - 9243  # Elasticsearch

- type: sip
  # Configure the ports where to listen for SIP traffic. You can disable
  # the SIP protocol by commenting out the list of ports.
  ports: [5060]

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# A list of tags to include in every event. In the default configuration file
# the forwarded tag causes Packetbeat to not add any host fields. If you are
# monitoring a network tap or mirror port then add the forwarded tag.
#tags: [forwarded]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
setup.dashboards.enabled: true

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "http://10.0.0.48:5601"
 

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["10.0.0.48:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "pass"

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["10.0.0.48:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors ================================
# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Packetbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: true

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Packetbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the packetbeat.
#instrumentation:
    # Set to true to enable instrumentation of packetbeat.
    #enabled: false

    # Environment in which packetbeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

I am very new with the ELK stack and just recently managed to get filebeat working. Im certain that whatever I am doing wrong is most likely a noob/stupid issue. However, I have watched every video I can find, followed every Google search, and I just cant seem to find what I am doing wrong.

When I check my setup, it is giving me a "Config OK"

Sincerely appreciate any assistance in advance!

2

What I would try ... I have had to fiddle with packet beat before....

I would comment out the logstash output and just write to the console to see if you are collecting anything and manually start packetbeat then if so send to elasticsearch directly ... then if working send through logstash (just a suggestion)

output.console:
  pretty: true

Also Did you run setup for packetbeat while pointing to elasticsearch? before you connected it to logstash? This is essential to get the correct templates, dashboards etc..etc.. loaded into Elasticsearch

Also have you looked at the packetbeat logs?

Also your logstash pipeline looks pretty good but some inconsistency

      hosts => "http://10.0.0.48:9200" <!-- Correct 
      ....
      hosts => "10.0.0.48" <!-- Not so much
3

Thank you!

I isolated the issue, but I am unsure how to fix it. The system with packetbeat is trying to import Kibana stuff from a directory on the same system. This packetbeat is standalone. The Kibana info is on the ELK server. here is the error I am receiving:

Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/kibana: No directory /home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/kibana/7
4

:slight_smile: Moar Info Please.

How did you install packetbeat (tar, deb etc)

Show the full command you are running for setup... and where are you running it from...

Are you following the Quickstart Instruction Carefully see here

5

Just saw this... That makes no sense... packetbeat has local info with assets that get loaded into elasticserach... if you just put the binary on a host it will be missing those.

6

Ill get everything in one moment. I did manage to get it all working by commenting out everything related to Kibana.

Im just happy I am capturing packets now! Going to backtrack and see if I can figure it out on my own from here, Ill keep you posted!

Packetbeat is running on Arch, so the installation was a bit of a pain xD Currently, the repo for Arch Linux installs Mage incorrectly. (Probably unneccesary info Dx)

7

This is what I have documented for Packetbeat Installation. I am aware I need to go back over it however. (Now that I know Kibana was the issue)


Download and extract Packetbeat:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mkdir aur
cd aur
git clone https://aur.archlinux.org/beats.git
cd beats
makepkg -s


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Install dependencies if it doesnt on its own

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo pacman -S python-virtualenv
sudo pacman -S rsync

cd aur

yay -S mage
cd mage
makepkg -s

cd ..
cd beats

makepkg -s
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Take note of where your config files are located (most likely in an src folder of your current directory:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/packetbeat.yml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Configure packetbeat:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo nano /home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/packetbeat.yml

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["10.0.0.132:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "pass"


# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "10.0.0.132:5601"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Test your config file:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo ./packetbeat test config -e
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Setup packetbeat:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
packetbeat setup -e
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start packetbeat:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo systemctl start packetbeat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make sure its running:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo systemctl status packetbeat

┌──(scarecrow👻scarecrow)-[~/…/beats/src/beats-8.1.3/packetbeat]
└─$ sudo systemctl status packetbeat
● packetbeat.service - Real-Time Packet Analyzer
     Loaded: loaded (/usr/lib/systemd/system/packetbeat.service; disabled; vendor preset: disa>
     Active: active (running) since Fri 2022-06-24 17:59:40 EDT; 19s ago
       Docs: https://www.elastic.co/guide/en/beats/packetbeat/current/index.html
   Main PID: 156285 (packetbeat)
      Tasks: 19 (limit: 18427)
     Memory: 28.1M
        CPU: 69ms
     CGroup: /system.slice/packetbeat.service
             └─156285 /usr/bin/packetbeat -c /etc/packetbeat/packetbeat.yml -path.home /usr/sh>

Jun 24 17:59:40 scarecrow systemd[1]: Started Real-Time Packet Analyzer.
Jun 24 18:00:13 scarecrow packetbeat[156285]: fetching V2 controller: []string{"memory", "pids>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
8

OK Good. Oh... we crossed in the Internet ... ^^^^^ That looks pretty good as long as you are getting setup to run... See below why

So you can always just install packetbeat somewhere else and install the assets... it does not have to be from the machine that you are collecting from...

BUT if you did not run setup / load the index template the data / schema will not be correct and the data will not be correct / easy to work with / right data types etc... etc..

packetbeat setup --index-management

So if you are running without running setup... you will need to clean up then run setup and then start again.

9

Wait!?

I can monitor network traffic on a seperate system, without installing packetbeat on that system?!

I was under the impression that I had to install the beats package on each system I intended on monitoring

10

Nope I did not say that... did I?

packetbeat needs to be on the monitored system / host.

11

I misread, I understand what you are saying now xD

12

When I run the setup, it says config ok, but it wasnt xD lol

13

So sending through logstash is fine too... if you want to use it as a collect and forward but not needed...

it would look like

input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://10.0.0.48:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      pipeline => "%{[@metadata][pipeline]}" 
      user => "elastic"
      password => "secret"
    }
  } else {
    elasticsearch {
      hosts => "http://10.0.0.48:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      user => "elastic"
      password => "secret"
    }
  }
}
14

Yes I am using Logstash, I currently have filebeat working correctly with it, and now I have Packetbeat (Supposedly) doing the same.

I go to the location of Packetbeat on the system I am monitoring. I run sudo packetbeat -e

It says it is connected, it is showing logs within the terminal, but when I go into Kibana -> Logs only filebeat logs are present. I am not seeing anything from Packetbeat..

If you wouldn't mind, what am I overlooking here? I disabled all options for Kibana. I am using Logstash as the output, so I should be able to see logs within Kibana, correct?

Note* I am not currently trying for fancy visualizations, I just want to see the logs within the log tab.

Here is what my terminal is showing me.

┌──(scarecrow👻scarecrow)-[~/…/beats/src/beats-8.1.3/packetbeat]
└─$ sudo packetbeat -e      
[sudo] password for scarecrow: 
{"log.level":"info","@timestamp":"2022-07-01T21:38:21.981-0400","log.origin":{"file.name":"instance/beat.go","file.line":669},"message":"Home path: [/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat] Config path: [/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat] Data path: [/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/data] Logs path: [/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/logs]","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.004-0400","log.origin":{"file.name":"instance/beat.go","file.line":677},"message":"Beat ID: d8a91a15-96c6-4fab-84e9-441d1e4a79d4","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.005-0400","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.005-0400","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1047},"message":"Beat info","service.name":"packetbeat","system_info":{"beat":{"path":{"config":"/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat","data":"/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/data","home":"/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat","logs":"/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat/logs"},"type":"packetbeat","uuid":"d8a91a15-96c6-4fab-84e9-441d1e4a79d4"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.005-0400","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Build info","service.name":"packetbeat","system_info":{"build":{"commit":"unknown","libbeat":"8.1.3","time":"1754-08-30T22:43:41.128Z","version":"8.1.3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.005-0400","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1059},"message":"Go runtime info","service.name":"packetbeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":16,"version":"go1.18.3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.005-0400","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1063},"message":"Host info","service.name":"packetbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-07-01T21:20:36-04:00","containerized":false,"name":"scarecrow","ip":["127.0.0.1/8","::1/128","10.0.0.241/24","2601:541:300:5d40::e18c/128","2601:541:300:5d40:8d6:c61d:7e1a:b7d/64","fe80::ca5e:e2e:5f92:8af9/64"],"kernel_version":"5.18.5-arch1-1","mac":["04:42:1a:d3:24:4d","90:e8:68:5d:0d:43"],"os":{"type":"linux","family":"","platform":"arch","name":"Arch Linux","version":"","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"b4a7daa2c15144f0973ca94f2b5cfb77"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.005-0400","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1092},"message":"Process info","service.name":"packetbeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/home/scarecrow/aur/beats/src/beats-8.1.3/packetbeat","exe":"/usr/bin/packetbeat","name":"packetbeat","pid":4377,"ppid":4376,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2022-07-01T21:38:21.730-0400"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.005-0400","log.origin":{"file.name":"instance/beat.go","file.line":323},"message":"Setup Beat: packetbeat; Version: 8.1.3","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.006-0400","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: scarecrow","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.006-0400","log.origin":{"file.name":"procs/procs.go","file.line":103},"message":"Process watcher disabled","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-07-01T21:38:22.007-0400","log.logger":"cfgwarn","log.origin":{"file.name":"sip/plugin.go","file.line":67},"message":"BETA: packetbeat SIP protocol is used","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.007-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.007-0400","log.origin":{"file.name":"instance/beat.go","file.line":489},"message":"packetbeat start running.","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:22.007-0400","log.origin":{"file.name":"procs/procs.go","file.line":103},"message":"Process watcher disabled","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-07-01T21:38:22.008-0400","log.logger":"cfgwarn","log.origin":{"file.name":"sip/plugin.go","file.line":67},"message":"BETA: packetbeat SIP protocol is used","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:28.347-0400","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":139},"message":"Connecting to backoff(async(tcp://10.0.0.48:5044))","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-07-01T21:38:28.348-0400","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":147},"message":"Connection to backoff(async(tcp://10.0.0.48:5044)) established","service.name":"packetbeat","ecs.version":"1.6.0"}
fetching V2 controller: []string{"memory", "pids\n"} for pid 4377
{"log.level":"info","@timestamp":"2022-07-01T21:38:52.009-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"packetbeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"vte-spawn-be80d92b-a1cf-4a40-aee1-fbe9daaf6f25.scope"},"memory":{"id":"vte-spawn-be80d92b-a1cf-4a40-aee1-fbe9daaf6f25.scope","mem":{"usage":{"bytes":46178304}}}},"cpu":{"system":{"ticks":30,"time":{"ms":35}},"total":{"ticks":80,"time":{"ms":88},"value":80},"user":{"ticks":50,"time":{"ms":53}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":10},"info":{"ephemeral_id":"8f250dda-d89a-459d-bc20-56406240b09c","uptime":{"ms":30057},"version":"8.1.3"},"memstats":{"gc_next":18166760,"memory_alloc":11841672,"memory_sys":30318694,"memory_total":26047832,"rss":103923712},"runtime":{"goroutines":67}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":111,"active":0,"batches":7,"total":111},"read":{"bytes":42},"type":"logstash","write":{"bytes":18687}},"pipeline":{"clients":30,"events":{"active":0,"published":111,"retry":8,"total":111},"queue":{"acked":111,"max_events":4096}}},"system":{"cpu":{"cores":16},"load":{"1":2.29,"15":2.36,"5":2.93,"norm":{"1":0.1431,"15":0.1475,"5":0.1831}}}},"ecs.version":"1.6.0"}}
fetching V2 controller: []string{"memory", "pids\n"} for pid 4377
{"log.level":"info","@timestamp":"2022-07-01T21:39:22.009-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"packetbeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":6914048}}}},"cpu":{"system":{"ticks":50,"time":{"ms":17}},"total":{"ticks":160,"time":{"ms":80},"value":160},"user":{"ticks":110,"time":{"ms":63}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":10},"info":{"ephemeral_id":"8f250dda-d89a-459d-bc20-56406240b09c","uptime":{"ms":60057},"version":"8.1.3"},"memstats":{"gc_next":16130648,"memory_alloc":13621504,"memory_sys":5242880,"memory_total":46204088,"rss":109547520},"runtime":{"goroutines":67}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":256,"active":0,"batches":12,"total":256},"read":{"bytes":72},"write":{"bytes":35928}},"pipeline":{"clients":30,"events":{"active":0,"published":256,"total":256},"queue":{"acked":256}}},"system":{"load":{"1":1.78,"15":2.32,"5":2.75,"norm":{"1":0.1113,"15":0.145,"5":0.1719}}}},"ecs.version":"1.6.0"}}
fetching V2 controller: []string{"memory", "pids\n"} for pid 4377
{"log.level":"info","@timestamp":"2022-07-01T21:39:52.009-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"packetbeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":196608}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":260,"time":{"ms":95},"value":260},"user":{"ticks":210,"time":{"ms":95}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":10},"info":{"ephemeral_id":"8f250dda-d89a-459d-bc20-56406240b09c","uptime":{"ms":90058},"version":"8.1.3"},"memstats":{"gc_next":16739864,"memory_alloc":6912064,"memory_sys":262144,"memory_total":69065096,"rss":109109248},"runtime":{"goroutines":67}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":274,"active":0,"batches":14,"total":274},"read":{"bytes":84},"write":{"bytes":37344}},"pipeline":{"clients":30,"events":{"active":0,"published":274,"total":274},"queue":{"acked":274}}},"system":{"load":{"1":1.2,"15":2.25,"5":2.51,"norm":{"1":0.075,"15":0.1406,"5":0.1569}}}},"ecs.version":"1.6.0"}}
fetching V2 controller: []string{"memory", "pids\n"} for pid 4377
{"log.level":"info","@timestamp":"2022-07-01T21:40:22.009-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"packetbeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":1667072}}}},"cpu":{"system":{"ticks":50,"time":{"ms":3}},"total":{"ticks":330,"time":{"ms":81},"value":330},"user":{"ticks":280,"time":{"ms":78}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":10},"info":{"ephemeral_id":"8f250dda-d89a-459d-bc20-56406240b09c","uptime":{"ms":120057},"version":"8.1.3"},"memstats":{"gc_next":18176680,"memory_alloc":10218576,"memory_total":89268304,"rss":110186496},"runtime":{"goroutines":67}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":269,"active":0,"batches":12,"total":269},"read":{"bytes":72},"write":{"bytes":35975}},"pipeline":{"clients":30,"events":{"active":1,"published":270,"total":270},"queue":{"acked":269}}},"system":{"load":{"1":1.12,"15":2.22,"5":2.38,"norm":{"1":0.07,"15":0.1388,"5":0.1488}}}},"ecs.version":"1.6.0"}}
fetching V2 controller: []string{"memory", "pids\n"} for pid 4377
{"log.level":"info","@timestamp":"2022-07-01T21:40:52.010-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"packetbeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":-1073152}}}},"cpu":{"system":{"ticks":60,"time":{"ms":9}},"total":{"ticks":420,"time":{"ms":83},"value":420},"user":{"ticks":360,"time":{"ms":74}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":10},"info":{"ephemeral_id":"8f250dda-d89a-459d-bc20-56406240b09c","uptime":{"ms":150057},"version":"8.1.3"},"memstats":{"gc_next":16859192,"memory_alloc":9568560,"memory_total":109608424,"rss":108879872},"runtime":{"goroutines":67}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":277,"active":0,"batches":12,"total":277},"read":{"bytes":72},"write":{"bytes":36240}},"pipeline":{"clients":30,"events":{"active":2,"published":278,"total":278},"queue":{"acked":277}}},"system":{"load":{"1":1.04,"15":2.18,"5":2.25,"norm":{"1":0.065,"15":0.1363,"5":0.1406}}}},"ecs.version":"1.6.0"}}
fetching V2 controller: []string{"memory", "pids\n"} for pid 4377
{"log.level":"info","@timestamp":"2022-07-01T21:41:22.009-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"packetbeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":1204224}}}},"cpu":{"system":{"ticks":70,"time":{"ms":14}},"total":{"ticks":470,"time":{"ms":55},"value":470},"user":{"ticks":400,"time":{"ms":41}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":10},"info":{"ephemeral_id":"8f250dda-d89a-459d-bc20-56406240b09c","uptime":{"ms":180059},"version":"8.1.3"},"memstats":{"gc_next":16395048,"memory_alloc":11689064,"memory_total":122701280,"rss":110518272},"runtime":{"goroutines":67}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":196,"active":0,"batches":7,"total":196},"read":{"bytes":54},"write":{"bytes":25957}},"pipeline":{"clients":30,"events":{"active":0,"published":194,"total":194},"queue":{"acked":196}}},"system":{"load":{"1":1.01,"15":2.14,"5":2.13,"norm":{"1":0.0631,"15":0.1338,"5":0.1331}}}},"ecs.version":"1.6.0"}}

Browsing should be logged correct?

Im confused for 2 reasons.

  1. I am not seeing any network traffic when I browse the web.
  2. The "non-metric" alerts for filebeat are displayed within the Logs tab, but not for packetbeat

Again, I apologize for my ignorance, I have read and reread the docs. Im struggling Dx

15

Yup you are confusing / conflating different things...

  1. If you go to Kibana Discover you would set the index pattern to packetbeat-* do you see data coming in?

Screen Shot 2022-07-01 at 7.23.28 PM
Screen Shot 2022-07-01 at 7.23.28 PM2826×1330 484 KB

  1. I am not sure why you are expecting the packetbeat logs to show up ... not unless you set something (filebeat) up to harvest them... we can get back to that later don't get distracted with that. right now... you are conflating to non-related things.

  2. I think you are sending data...

See these..seems like packetbeat is sending data.

active":0,"batches":14,"total":274},"read":{"bytes":84},"write":{"bytes":37344}},"pipeline":{"clients":30,"events":{"active":0,"published":274,"total":274},

Go Check discover ... and report back

Also are you sure you are actually sniffing the right devices... What OS are you running this on.

did you run
./packetbeat devices

Are you sure this is correct for your system

packetbeat.interfaces.device: any
packetbeat.interfaces.type: af_packet

Also there will be not maps for internally originated IPs as the can not be geo-mapped.

But you should see flows

I just setup and ran on the mac... just set the correct device
On the Mac packetbeat had to run as root

Screen Shot 2022-07-01 at 7.26.48 PM
Screen Shot 2022-07-01 at 7.26.48 PM1920×1248 123 KB

16

Okay, so within discover I am seeing the packetbeat data now. How would I get it to display in logs the way filebeat does?

Thanks again!

17

Well that is not really the intention as you would probably be able to see more in Discover etc. and you can just set it to refresh every 10s.

Are you aware of Saved Searches in Discover... it is what most people look at flow data in ... not logs Viewer... Something like...

Screen Shot 2022-07-02 at 5.53.23 PM
Screen Shot 2022-07-02 at 5.53.23 PM1920×982 119 KB

BTW I was playing on tweaking logs viewer... it does no like combining packetbeat and logs data together not sure if a bug or design .. I will take a look at it later.

You can go under Logs, Settings and set packetbeat-* as the index pattern but if you try both filebeat-* and packetbeat-* it did not work for met

18

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.