Getting started with Packetbeat
Monitoring your network traffic using Elasticsearch
Packetbeat is a real-time network packet analyzer that you can use with Elasticsearch to provide an application monitoring and performance analytics system.
Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on).
Packetbeat can run on —
- the same servers as your application processes or
- on its own servers.
Lab Setup
In this article, We’ll need a single-node elastic search cluster(refer to this article for instructions) and two apache webservers. I have used the GCP platform to build my test lab since it offers $300 USD free trial credit but you can do it on your servers or any other public cloud platform as well.
Packetbeat Installation
Note: You’ll need an existing elastic search cluster to store log data and Kibana to visualize this data. We will also need metric beat installed on this server.
- Please read this article to help set up a single-node elastic search instance and Kibana.
- Please read this article to help set up the metric beat.
We’ll use the APT repository method to install Packetbeat.
Installation and configuration of Packetbeat on web Server
- Install Packetbeat
sudo apt-get install packetbeat2. Configure Metribeat
sudo sucd /etc/packetbeatnano packetbeat.ymlpacketbeat.interfaces.device: any# comment out unecessary protocolstags: [“web-tier”]setup.dashboards.enabled: truehost: “192.168.1.34:5601”output.elasticsearch:# Array of hosts to connect to.hosts: [“192.168.1.34:9200”]# Protocol — either `http` (default) or `https`.protocol: “http”# Authentication credentials — either API key or username/password.#api_key: “id:api_key”username: “elastic”password: “goodwitch”
3. Start Packetbeat
sudo systemctl start packetbeat4. Enable beat-pack if not already enabled
sudo metricbeat modules enable beat-xpack5. configure beat-expack
sudo nano /etc/metricbeat/modules.d/beat-xpack.ymlhosts: [“http://localhost:5070"]username: “beats_system”password: “avatar”
6. Validate Metricbeat service is running
systemctl status metricbeat7. Stack monitoring and dashboards
If your packetbeat service has been successfully deployed and configured, you should be able to see heartbeat come up under stack monitoring-> Beats
Finally, you can go to dashboards and check one of the pre-built dashboards for Packetbeat
So, here’s how you can configure audit beat to monitor your users and processes.
If you want to do some hands-on practice on Elaticsearch, here is the link to my youtube playlist where I show you how to can set up a lab setup with 2 apache servers feeding data to a single-node Elasticsearch cluster deployed on a google cloud platform or GCP.
