I have some old linux servers on my network that's will not run packetbeat, and I want do capture the trafic and put on a elasticsearch instance. One of the ways I've been found to remote capture is by using tcpdump on a named pipe, like above:
ssh myuser@myserver "sudo -S /usr/sbin/tcpdump -s 0 -n -w - -U -i eth0 port 14010 2>/dev/n
ull" > /tmp/capture1.fifo
How to read this fifo and send the data with packetbeat? I need to extract the http traffic, with http.response.body and http.request.body, and my configuration on packetbeat.yml is quite simple to do the job:
- type: http
Configure the ports where to listen for HTTP traffic. You can disable
the HTTP protocol by commenting out the list of ports.ports: [80, 8080, 7010, 7020, 7030, 7040, 8010, 8020, 8030, 8040]
include_body_for: ["text/html", "text/xml"]
Can someone help how to do this?
Thanks in advance!