In research to find a solution for capturing and visualizing all kinds of traffic on a few remote dedicated servers with the lack of firewall syslogs and tried out packetbeats. It does not do the same, i know, but it gives way more info than none and it has a better cpu and memory footprint than a manual tcpdump service -> log -> logstash -> elastic.
My big problem though is that the packetbeats do not send any source fields to the receiving end.
I have not done any other configuration other than adding the logstash output for some further manipulation if i found needed(already split type/index).
Stack Version used: 6.2
Do i need to add more configurations?
Example output:
{"type":"flow","flow_id":"EAT/////AP//////FP0BBBGrhqX7lPtQL0Inqt8","@timestamp":"2018-04-04T13:42:40.000Z","host":"MyHost","start_time":"2018-04-04T13:42:33.112Z","dest":{"ip":"151.151.151.151","stats":{"net_bytes_total":368,"net_packets_total":5},"port":1050},"last_time":"2018-04-04T13:42:33.113Z","final":false,"transport":"tcp","@version":"1","tags":["pbeat"]}