docs/reference/packetbeat/packetbeat-installation-configuration.md
The best way to understand the value of a network packet analytics system like Packetbeat is to try it on your own traffic.
This guide describes how to get started quickly with network packets analytics. You’ll learn how to:
% TO DO: Use :class: screenshot
You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
:::::::{applies-switch} :group: deployment
::::::{applies-item} ess: ga :sync: hosted To get started quickly, spin up a deployment of {{ech}}. The {{ech}} is available on AWS, GCP, and Azure. Try it out for free. ::::::
::::::{applies-item} self: ga :sync: self To install and run {{es}} and {{kib}}, see Installing the {{stack}}. ::::::
::::::{applies-item} serverless: ga :sync: serverless ::::{include} /reference/_snippets/serverless-before-you-begin.md :::: ::::::
:::::::
On most platforms, Packetbeat requires the libpcap packet capture library. Depending on your OS, you might need to install it:
:::::::{tab-set} :group: platform
::::::{tab-item} DEB :sync: deb
sudo apt-get install libpcap0.8
::::::
::::::{tab-item} RPM :sync: rpm
sudo yum install libpcap
::::::
::::::{tab-item} MacOS :sync: macos You probably do not need to install libpcap. ::::::
::::::{tab-item} Linux :sync: linux You probably do not need to install libpcap. ::::::
::::::{tab-item} Windows :sync: windows You probably do not need to install libpcap. The default distribution of {{packetbeat}} for Windows comes bundled with the Npcap library.
For the OSS-only distribution, you must download and install a packet sniffing library, such as [Npcap](https://nmap.org/npcap/), that implements the [libpcap](https://github.com/the-tcpdump-group/libpcap) interfaces.
If you use Npcap, make sure you install it in WinPcap API-compatible mode. If you plan to capture traffic from the loopback device (127.0.0.1 traffic), also select the option to support loopback traffic.
::::::
:::::::
:::::::{tab-set} :group: platform
::::::{tab-item} DEB :sync: deb
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-{{version.stack}}-amd64.deb
sudo dpkg -i packetbeat-{{version.stack}}-amd64.deb
::::::
::::::{tab-item} RPM :sync: rpm
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-{{version.stack}}-x86_64.rpm
sudo rpm -vi packetbeat-{{version.stack}}-x86_64.rpm
::::::
::::::{tab-item} MacOS :sync: macos
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-{{version.stack}}-darwin-x86_64.tar.gz
tar xzvf packetbeat-{{version.stack}}-darwin-x86_64.tar.gz
::::::
::::::{tab-item} Linux :sync: linux
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-{{version.stack}}-linux-x86_64.tar.gz
tar xzvf packetbeat-{{version.stack}}-linux-x86_64.tar.gz
::::::
::::::{tab-item} Windows :sync: windows
Download the Packetbeat Windows zip file.
Extract the contents of the zip file into C:\Program Files.
Rename the packetbeat-[version]-windows-x86_64 directory to Packetbeat.
Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, run the following commands to install Packetbeat as a Windows service:
PS > cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat> .\install-service-packetbeat.ps1
:::{note}
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1.
:::
:::{important} :applies_to: stack: ga 9.0.6+!
The base folder has changed from C:\ProgramData\ to C:\Program Files\
because the latter has stricter permissions. The home path (base for
state and logs) is now C:\Program Files\Packetbeat-Data.
The install script (install-service-packetbeat.ps1) will check whether
C:\ProgramData\Packetbeat exits and move it to C:\Program Files\Packetbeat-Data.
For more details on the installation script refer to: install script.
:::
::::::
::::::: The commands shown are for AMD platforms, but ARM packages are also available. Refer to the download page for the full list of available packages.
Connections to {{es}} and {{kib}} are required to set up Packetbeat.
Set the connection information in packetbeat.yml. To locate this configuration file, see Directory layout.
:::::::{applies-switch} :group: deployment
::::::{applies-item} ess: ga :sync: hosted Specify the cloud.id of your {{ech}} deployment, and set cloud.auth to a user who is authorized to set up Packetbeat. For example:
cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "packetbeat_setup:YOUR_PASSWORD" <1>
::::::{applies-item} self: ga :sync: self
Set the host and port where Packetbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Packetbeat. For example:
output.elasticsearch:
hosts: ["https://myEShost:9200"]
username: "packetbeat_internal"
password: "YOUR_PASSWORD" <1>
ssl:
enabled: true
ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
setup.kibana:
host: "mykibanahost:5601" <1>
username: "my_kibana_user" <2> <3>
password: "YOUR_PASSWORD"
mykibanahost:5601. If you specify a path after the port number, include the scheme and port: http://mykibanahost:5601/path.username and password settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Packetbeat uses the username and password specified for the {{es}} output.kibana_admin built-in role.
::::::::::::{applies-item} serverless: ga :sync: serverless ::::{include} /reference/_snippets/serverless-connect.md :::: ::::::
::::::: To learn more about required roles and privileges, see Grant users access to secured resources.
::::{note} You can send data to other outputs, such as {{ls}}, but that requires additional configuration and setup. ::::
In packetbeat.yml, configure the network devices and protocols to capture traffic from.
Set the sniffer type. By default, Packetbeat uses pcap, which uses the libpcap library and works on most platforms.
On Linux, set the sniffer type to af_packet to use memory-mapped sniffing. This option is faster than libpcap and doesn’t require a kernel module, but it’s Linux-specific:
packetbeat.interfaces.type: af_packet
Specify the network device to capture traffic from. For example:
packetbeat.interfaces.device: eth0
::::{tip}
On Linux, specify packetbeat.interfaces.device: any to capture all messages sent or received by the server where Packetbeat is installed. The any setting does not work on macOS.
::::
To see a list of available devices, run:
:::::::{tab-set} :group: platform
::::::{tab-item} DEB :sync: deb
packetbeat devices
::::::
::::::{tab-item} RPM :sync: rpm
packetbeat devices
::::::
::::::{tab-item} MacOS :sync: macos
./packetbeat devices
::::::
::::::{tab-item} Linux :sync: linux
./packetbeat devices
::::::
::::::{tab-item} Windows :sync: windows
PS C:\Program Files\Packetbeat> .\packetbeat.exe devices
0: \Device\NPF_{113535AD-934A-452E-8D5F-3004797DE286} (Intel(R) PRO/1000 MT Desktop Adapter)
In this example, there’s only one network card, with the index 0, installed on the system. If there are multiple network cards, remember the index of the device you want to use for capturing the traffic.
Modify the device setting to point to the index of the device:
packetbeat.interfaces.device: 0
:::::: :::::::
For more information about these settings, see Traffic sniffing.
In the protocols section, configure the ports where Packetbeat can find each protocol. If you use any non-standard ports, add them here. Otherwise, use the default values.
packetbeat.protocols:
- type: dhcpv4
ports: [67, 68]
- type: dns
ports: [53]
- type: http
ports: [80, 8080, 8081, 5000, 8002]
- type: memcache
ports: [11211]
- type: mysql
ports: [3306,3307]
- type: pgsql
ports: [5432]
- type: redis
ports: [6379]
- type: thrift
ports: [9090]
- type: mongodb
ports: [27017]
- type: cassandra
ports: [9042]
- type: tls
ports: [443, 993, 995, 5223, 8443, 8883, 9243]
:::{tip}
To test your configuration file, change to the directory where the Packetbeat binary is installed, and run Packetbeat in the foreground with the following options specified: sudo ./packetbeat test config -e. Make sure your config files are in the path expected by Packetbeat (see Directory layout), or use the -c flag to specify the path to the config file. Depending on your OS, you might run into file ownership issues when you run this test. See Config File Ownership and Permissions for more information.
:::
For more information about configuring Packetbeat, also see:
packetbeat.reference.yml: This reference configuration file shows all non-deprecated options. You’ll find it in the same location as packetbeat.yml.Packetbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:
Make sure the user specified in packetbeat.yml is authorized to set up Packetbeat.
From the installation directory, run:
:::::::{tab-set} :group: platform ::::::{tab-item} DEB :sync: deb
packetbeat setup -e
::::::
::::::{tab-item} RPM :sync: rpm
packetbeat setup -e
::::::
::::::{tab-item} MacOS :sync: macos
./packetbeat setup -e
::::::
::::::{tab-item} Linux :sync: linux
./packetbeat setup -e
::::::
::::::{tab-item} Windows :sync: windows
PS > .\packetbeat.exe setup -e
::::::
:::::::
-e is optional and sends output to standard error instead of the configured log output.
By default Windows log files are stored in C:\Program Files\Packetbeat-Data\logs.
:::{note}
In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\packetbeat\logs.
:::
This step loads the recommended index template for writing to Elasticsearch and deploys the sample dashboards for visualizing the data in Kibana.
:::{tip} A connection to Elasticsearch (or {{ech}}) is required to set up the initial environment. If you’re using a different output, such as Logstash, see Load the index template manually and Load Kibana dashboards. :::
Before starting Packetbeat, modify the user credentials in packetbeat.yml and specify a user who is authorized to publish events.
To start Packetbeat, run:
:::::::{tab-set} :group: platform
::::::{tab-item} DEB :sync: deb
sudo service packetbeat start
::::{note}
If you use an init.d script to start Packetbeat, you can’t specify command line flags (see Command reference). To specify flags, start Packetbeat in the foreground.
::::
Also see Packetbeat and systemd. ::::::
::::::{tab-item} RPM :sync: rpm
sudo service packetbeat start
::::{note}
If you use an init.d script to start Packetbeat, you can’t specify command line flags (see Command reference). To specify flags, start Packetbeat in the foreground.
::::
Also see Packetbeat and systemd. ::::::
::::::{tab-item} MacOS :sync: macos
sudo chown root packetbeat.yml <1>
sudo ./packetbeat -e
--strict.perms=false specified. See Config File Ownership and Permissions.
::::::::::::{tab-item} Linux :sync: linux
sudo chown root packetbeat.yml <1>
sudo ./packetbeat -e
--strict.perms=false specified. See Config File Ownership and Permissions.
::::::::::::{tab-item} Windows :sync: windows
PS C:\Program Files\packetbeat> Start-Service packetbeat
By default Windows log files are stored in C:\Program Files\Packetbeat-Data\logs.
:::{note}
In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\packetbeat\logs.
:::
::::::
:::::::
Packetbeat should begin streaming data to {{es}}.
Packetbeat comes with pre-built {{kib}} dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the setup command.
To open the dashboards:
Launch {{kib}}:
:::::::{applies-switch} :group: deployment ::::::{applies-item} ess: ga :sync: hosted
localhost with the name of the {{kib}} host.
::::::
::::::{applies-item} serverless: ga
:sync: serverless
::::{include} /reference/_snippets/serverless-view-data.md
::::
::::::
:::::::In the side navigation, click Discover. To see Packetbeat data, make sure the predefined packetbeat-* data view is selected.
::::{tip} If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes. ::::
In the side navigation, click Dashboard, then select the dashboard that you want to open.
The dashboards are provided as examples. We recommend that you customize them to meet your needs.
::::{tip} To populate the client locations map in the overview dashboard, follow the steps described in Enrich events with geoIP information. ::::
Now that you have your data streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
Ingest data from other sources by installing and configuring other Elastic {{beats}}:
| Elastic {{beats}} | To capture |
|---|---|
| {{metricbeat}} | Infrastructure metrics |
| {{filebeat}} | Logs |
| {{winlogbeat}} | Windows event logs |
| {{heartbeat}} | Uptime information |
| APM | Application performance metrics |
| {{auditbeat}} | Audit events |
Use the Observability apps in {{kib}} to search across all your data:
| Elastic apps | Use to |
|---|---|
| {{metrics-app}} | Explore metrics about systems and services across your ecosystem |
| {{logs-app}} | Tail related log data in real time |
| {{uptime-app}} | Monitor availability issues across your apps and services |
| APM app | Monitor application performance |
| {{siem-app}} | Analyze security events |