Hi All,
Is it possible to configure PacketBeat to capture all the traffic the box is having.
except few exception traffic.
and then report in Kibana which box is not having any traffic.
The goal is to find out which box is doing nothing in our estate, hence if it can be decommissioned.
Last time my team checked, we were able to collect specific traffic, by mentioning the port we were looking for.
however in our case we want the other way around, which is collect everything except some port.
Thanks for your reply, do you know the default for packetbeat.interfaces.bpf_filter ?
also according to https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-interfaces.html : This setting disables automatic generation of the BPF filter. If you use this setting, it’s your responsibility to keep the BPF filters in sync with the ports defined in the protocols section.
I did some testing yesterday and it looks like by default packetbeat captures all the traffic "flow" on all the ports even on the ports that are not defined in the known "protocols" section.
I tried some tcp & udp connections randomly on port 65000, 3333 ,3334 and they all reported to the "flows" section in the packetbeat dashboard in kibana.
now I just need to find a way to blacklist some flow, I guess I can do this in kibana/elasticsearch instead of doing it in packetbeat.
@frenchy59 yes if you want to avoid maintaining bpf filter, which is reasonable way I guess. I would suggest using drop_event processor on winlogbeat.
you can play with conditions to achieve filtering you desire.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.