环境:
业务机器安装packetbeat客户端
ES、kibana服务端需要保证启动(本次环境的ES和kibana服务跑在172.16.82.165上)
业务机器端执行安装:
1、下载包
yum install libpcap
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-6.3.2-x86_64.rpm
rpm -vi packetbeat-6.3.2-x86_64.rpm
配置文件如下
[root@docker2 packetbeat]# cat /etc/packetbeat/packetbeat.yml|egrep -v "^#|^$"
packetbeat.interfaces.device: any
packetbeat.flows:
timeout: 30s
period: 10s
packetbeat.protocols:
- type: icmp
enabled: true
- type: amqp
ports: [5672]
- type: cassandra
ports: [9042]
- type: dns
ports: [53]
include_authorities: true
include_additionals: true
- type: http
ports: [80, 8080, 8000, 5000, 8002]
- type: memcache
ports: [11211]
- type: mysql
ports: [3306]
- type: pgsql
ports: [5432]
- type: redis
ports: [6379]
- type: thrift
ports: [9090]
- type: mongodb
ports: [27017]
- type: nfs
ports: [2049]
- type: tls
ports: [443]
setup.template.settings:
index.number_of_shards: 3
#_source.enabled: false
setup.kibana:
host: "172.16.82.165:5601"
output.elasticsearch:
hosts: ["172.16.82.165:9200"]
2、kibana导入图
packetbeat setup --dashboards
packetbeat setup -e
-E output.logstash.enabled=false
-E output.elasticsearch.hosts=['172.16.82.165:9200']
-E output.elasticsearch.username=packetbeat_internal
-E output.elasticsearch.password=YOUR_PASSWORD
-E setup.kibana.host=172.16.82.165:5601
备注:
-E output.elasticsearch.username=packetbeat_internal
-E output.elasticsearch.password=YOUR_PASSWORD
这两行涉及用户密码,如果我们e没有用户密码配置,可以先不执行这两行
启动packetbeat服务
/etc/init.d/packetbeat start
然后执行这个测试数据:
curl -XGET 'http://172.16.82.165:9200/packetbeat-*/_search?pretty'
之后进入kibana,创新packetbeat-*的索引
会有数据显示展示