Configuring Packetbeat to push packet data into Elasticsearch

Beats are basically data shippers, which are grouped to do single-purpose jobs. They can be installed as agents on different servers to send data from different sources to a central Logstash or Elasticsearch cluster. Beats are written in Go, they are lightweight in design, and work on a cross-platform environment.

Packetbeat is a network packet analyzer, which reads the packets and sends the information to Logstash or Elasticsearch. We can use Packetbeat to monitor the data traveling over wires for any application. Before configuring Packetbeat, first of all, we need to install it. The process of installing Packetbeat was discussed in Chapter 1, Revising the ELK Stack, so you can refer to that. After installation, we can configure Packetbeat by opening the configuration file:

sudo vim /etc/packetbeat/packetbeat.yml

This opens the configuration file, as shown in the following screenshot:

The previous screenshot shows us the Packetbeat configuration file. For configuring Packetbeat, we need to do the following:

• We need to select the network interface through which Packetbeat will capture the data. For that, we need to set the interface device. Linux supports data capture of all messages from the server on which Packetbeat is installed. Here, we can set the interface device as any in the case of Linux: packetbeat.interfaces.device:any. With macOS or Windows, we explicitly need to provide the interface device.
• We need to provide the username and password in the case of Elasticsearch and Kibana output if we are using a secured setup of Elastic Stack.
• In the protocol section of the Packetbeat configuration file, we need to provide the ports for each protocol that Packetbeat will use to capture the packet data. If we are using the default ports for each protocol, then Packetbeat will take data using these default ports. However, if we are using any nonstandard port for a given protocol, then we need to mention that in the Packetbeat configuration file:

• We need to set up the Elasticsearch output section by providing the IP address and port of the Elasticsearch server in case we are sending the Packetbeat output to Elasticsearch:

#------------------- Elasticsearch output-------------------------
 output.elasticsearch:
   # Array of hosts to connect to.
   hosts: ["localhost:9200"]

But if we are sending the Packetbeat output to Logstash, we need to set the Logstash output section by providing the IP and port of the Logstash server in the Packetbeat configuration file.

• Beats provide default dashboards for Kibana, which we can use in Kibana to customize as per our requirements. For example, if we want to create a dashboard for Apache, Beats provide us with the option to import the Apache dashboard with key visualizations, which we can customize by removing or adding more visualizations if required. So, if we want to use the Packetbeat default dashboard for Kibana, we need to set the following in the configuration file:

setup.kibana:
 host: "localhost:5601"