482 lines
18 KiB
YAML
482 lines
18 KiB
YAML
|
###################### Packetbeat Configuration Example #######################
|
||
|
|
|
||
|
|
# This file is a full configuration example documenting all non-deprecated
|
||
|
|
# options in comments. For a shorter configuration example, that contains only
|
||
|
|
# the most common options, please see packetbeat.yml in the same directory.
|
||
|
|
#
|
||
|
|
# You can find the full configuration reference here:
|
||
|
|
# https://www.elastic.co/guide/en/beats/packetbeat/index.html
|
||
|
|
|
||
|
|
#============================== Network device ================================
|
||
|
|
|
||
|
|
# Select the network interface to sniff the data. You can use the "any"
|
||
|
|
# keyword to sniff on all connected interfaces.
|
||
|
|
packetbeat.interfaces.device: any
|
||
|
|
|
||
|
|
# Packetbeat supports three sniffer types:
|
||
|
|
# * pcap, which uses the libpcap library and works on most platforms, but it's
|
||
|
|
# not the fastest option.
|
||
|
|
# * af_packet, which uses memory-mapped sniffing. This option is faster than
|
||
|
|
# libpcap and doesn't require a kernel module, but it's Linux-specific.
|
||
|
|
#packetbeat.interfaces.type: pcap
|
||
|
|
|
||
|
|
# The maximum size of the packets to capture. The default is 65535, which is
|
||
|
|
# large enough for almost all networks and interface types. If you sniff on a
|
||
|
|
# physical network interface, the optimal setting is the MTU size. On virtual
|
||
|
|
# interfaces, however, it's safer to accept the default value.
|
||
|
|
#packetbeat.interfaces.snaplen: 65535
|
||
|
|
|
||
|
|
# The maximum size of the shared memory buffer to use between the kernel and
|
||
|
|
# user space. A bigger buffer usually results in lower CPU usage, but consumes
|
||
|
|
# more memory. This setting is only available for the af_packet sniffer type.
|
||
|
|
# The default is 30 MB.
|
||
|
|
#packetbeat.interfaces.buffer_size_mb: 30
|
||
|
|
|
||
|
|
# Packetbeat automatically generates a BPF for capturing only the traffic on
|
||
|
|
# ports where it expects to find known protocols. Use this settings to tell
|
||
|
|
# Packetbeat to generate a BPF filter that accepts VLAN tags.
|
||
|
|
#packetbeat.interfaces.with_vlans: true
|
||
|
|
|
||
|
|
# Use this setting to override the automatically generated BPF filter.
|
||
|
|
#packetbeat.interfaces.bpf_filter:
|
||
|
|
|
||
|
|
#================================== Flows =====================================
|
||
|
|
|
||
|
|
packetbeat.flows:
|
||
|
|
# Enable Network flows. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Set network flow timeout. Flow is killed if no packet is received before being
|
||
|
|
# timed out.
|
||
|
|
timeout: 30s
|
||
|
|
|
||
|
|
# Configure reporting period. If set to -1, only killed flows will be reported
|
||
|
|
period: 10s
|
||
|
|
|
||
|
|
#========================== Transaction protocols =============================
|
||
|
|
|
||
|
|
packetbeat.protocols:
|
||
|
|
- type: icmp
|
||
|
|
# Enable ICMPv4 and ICMPv6 monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
- type: amqp
|
||
|
|
# Enable AMQP monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for AMQP traffic. You can disable
|
||
|
|
# the AMQP protocol by commenting out the list of ports.
|
||
|
|
ports: [5672]
|
||
|
|
# Truncate messages that are published and avoid huge messages being
|
||
|
|
# indexed.
|
||
|
|
# Default: 1000
|
||
|
|
#max_body_length: 1000
|
||
|
|
|
||
|
|
# Hide the header fields in header frames.
|
||
|
|
# Default: false
|
||
|
|
#parse_headers: false
|
||
|
|
|
||
|
|
# Hide the additional arguments of method frames.
|
||
|
|
# Default: false
|
||
|
|
#parse_arguments: false
|
||
|
|
|
||
|
|
# Hide all methods relative to connection negotiation between server and
|
||
|
|
# client.
|
||
|
|
# Default: true
|
||
|
|
#hide_connection_information: true
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: cassandra
|
||
|
|
#Cassandra port for traffic monitoring.
|
||
|
|
ports: [9042]
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`cassandra_request` field)
|
||
|
|
# is included in published events. The default is true.
|
||
|
|
#send_request: true
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field)
|
||
|
|
# is included in published events. The default is true. enable `send_request` first before enable this option.
|
||
|
|
#send_request_header: true
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`cassandra_response` field)
|
||
|
|
# is included in published events. The default is true.
|
||
|
|
#send_response: true
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field)
|
||
|
|
# is included in published events. The default is true. enable `send_response` first before enable this option.
|
||
|
|
#send_response_header: true
|
||
|
|
|
||
|
|
# Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured.
|
||
|
|
# By default no compressor is configured.
|
||
|
|
#compressor: "snappy"
|
||
|
|
|
||
|
|
# This option indicates which Operator/Operators will be ignored.
|
||
|
|
#ignored_ops: ["SUPPORTED","OPTIONS"]
|
||
|
|
|
||
|
|
- type: dhcpv4
|
||
|
|
# Configure the DHCP for IPv4 ports.
|
||
|
|
ports: [67, 68]
|
||
|
|
|
||
|
|
- type: dns
|
||
|
|
# Enable DNS monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for DNS traffic. You can disable
|
||
|
|
# the DNS protocol by commenting out the list of ports.
|
||
|
|
ports: [53]
|
||
|
|
|
||
|
|
# include_authorities controls whether or not the dns.authorities field
|
||
|
|
# (authority resource records) is added to messages.
|
||
|
|
# Default: false
|
||
|
|
include_authorities: true
|
||
|
|
# include_additionals controls whether or not the dns.additionals field
|
||
|
|
# (additional resource records) is added to messages.
|
||
|
|
# Default: false
|
||
|
|
include_additionals: true
|
||
|
|
|
||
|
|
# send_request and send_response control whether or not the stringified DNS
|
||
|
|
# request and response message are added to the result.
|
||
|
|
# Nearly all data about the request/response is available in the dns.*
|
||
|
|
# fields, but this can be useful if you need visibility specifically
|
||
|
|
# into the request or the response.
|
||
|
|
# Default: false
|
||
|
|
# send_request: true
|
||
|
|
# send_response: true
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: http
|
||
|
|
# Enable HTTP monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for HTTP traffic. You can disable
|
||
|
|
# the HTTP protocol by commenting out the list of ports.
|
||
|
|
ports: [80, 8080, 8000, 5000, 8002]
|
||
|
|
|
||
|
|
# Uncomment the following to hide certain parameters in URL or forms attached
|
||
|
|
# to HTTP requests. The names of the parameters are case insensitive.
|
||
|
|
# The value of the parameters will be replaced with the 'xxxxx' string.
|
||
|
|
# This is generally useful for avoiding storing user passwords or other
|
||
|
|
# sensitive information.
|
||
|
|
# Only query parameters and top level form parameters are replaced.
|
||
|
|
# hide_keywords: ['pass', 'password', 'passwd']
|
||
|
|
|
||
|
|
# A list of header names to capture and send to Elasticsearch. These headers
|
||
|
|
# are placed under the `headers` dictionary in the resulting JSON.
|
||
|
|
#send_headers: false
|
||
|
|
|
||
|
|
# Instead of sending a white list of headers to Elasticsearch, you can send
|
||
|
|
# all headers by setting this option to true. The default is false.
|
||
|
|
#send_all_headers: false
|
||
|
|
|
||
|
|
# The list of content types for which Packetbeat includes the full HTTP
|
||
|
|
# payload. If the request's or response's Content-Type matches any on this
|
||
|
|
# list, the full body will be included under the request or response field.
|
||
|
|
#include_body_for: []
|
||
|
|
|
||
|
|
# The list of content types for which Packetbeat includes the full HTTP
|
||
|
|
# request payload.
|
||
|
|
#include_request_body_for: []
|
||
|
|
|
||
|
|
# The list of content types for which Packetbeat includes the full HTTP
|
||
|
|
# response payload.
|
||
|
|
#include_response_body_for: []
|
||
|
|
|
||
|
|
# If the Cookie or Set-Cookie headers are sent, this option controls whether
|
||
|
|
# they are split into individual values.
|
||
|
|
#split_cookie: false
|
||
|
|
|
||
|
|
# The header field to extract the real IP from. This setting is useful when
|
||
|
|
# you want to capture traffic behind a reverse proxy, but you want to get the
|
||
|
|
# geo-location information.
|
||
|
|
#real_ip_header:
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
# Maximum message size. If an HTTP message is larger than this, it will
|
||
|
|
# be trimmed to this size. Default is 10 MB.
|
||
|
|
#max_message_size: 10485760
|
||
|
|
|
||
|
|
- type: memcache
|
||
|
|
# Enable memcache monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for memcache traffic. You can disable
|
||
|
|
# the Memcache protocol by commenting out the list of ports.
|
||
|
|
ports: [11211]
|
||
|
|
|
||
|
|
# Uncomment the parseunknown option to force the memcache text protocol parser
|
||
|
|
# to accept unknown commands.
|
||
|
|
# Note: All unknown commands MUST not contain any data parts!
|
||
|
|
# Default: false
|
||
|
|
# parseunknown: true
|
||
|
|
|
||
|
|
# Update the maxvalue option to store the values - base64 encoded - in the
|
||
|
|
# json output.
|
||
|
|
# possible values:
|
||
|
|
# maxvalue: -1 # store all values (text based protocol multi-get)
|
||
|
|
# maxvalue: 0 # store no values at all
|
||
|
|
# maxvalue: N # store up to N values
|
||
|
|
# Default: 0
|
||
|
|
# maxvalues: -1
|
||
|
|
|
||
|
|
# Use maxbytespervalue to limit the number of bytes to be copied per value element.
|
||
|
|
# Note: Values will be base64 encoded, so actual size in json document
|
||
|
|
# will be 4 times maxbytespervalue.
|
||
|
|
# Default: unlimited
|
||
|
|
# maxbytespervalue: 100
|
||
|
|
|
||
|
|
# UDP transaction timeout in milliseconds.
|
||
|
|
# Note: Quiet messages in UDP binary protocol will get response only in error case.
|
||
|
|
# The memcached analyzer will wait for udptransactiontimeout milliseconds
|
||
|
|
# before publishing quiet messages. Non quiet messages or quiet requests with
|
||
|
|
# error response will not have to wait for the timeout.
|
||
|
|
# Default: 200
|
||
|
|
# udptransactiontimeout: 1000
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: mysql
|
||
|
|
# Enable mysql monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for MySQL traffic. You can disable
|
||
|
|
# the MySQL protocol by commenting out the list of ports.
|
||
|
|
ports: [3306]
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: pgsql
|
||
|
|
# Enable pgsql monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for Pgsql traffic. You can disable
|
||
|
|
# the Pgsql protocol by commenting out the list of ports.
|
||
|
|
ports: [5432]
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: redis
|
||
|
|
# Enable redis monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for Redis traffic. You can disable
|
||
|
|
# the Redis protocol by commenting out the list of ports.
|
||
|
|
ports: [6379]
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: thrift
|
||
|
|
# Enable thrift monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for Thrift-RPC traffic. You can disable
|
||
|
|
# the Thrift-RPC protocol by commenting out the list of ports.
|
||
|
|
ports: [9090]
|
||
|
|
|
||
|
|
# The Thrift transport type. Currently this option accepts the values socket
|
||
|
|
# for TSocket, which is the default Thrift transport, and framed for the
|
||
|
|
# TFramed Thrift transport. The default is socket.
|
||
|
|
#transport_type: socket
|
||
|
|
|
||
|
|
# The Thrift protocol type. Currently the only accepted value is binary for
|
||
|
|
# the TBinary protocol, which is the default Thrift protocol.
|
||
|
|
#protocol_type: binary
|
||
|
|
|
||
|
|
# The Thrift interface description language (IDL) files for the service that
|
||
|
|
# Packetbeat is monitoring. Providing the IDL enables Packetbeat to include
|
||
|
|
# parameter and exception names.
|
||
|
|
#idl_files: []
|
||
|
|
|
||
|
|
# The maximum length for strings in parameters or return values. If a string
|
||
|
|
# is longer than this value, the string is automatically truncated to this
|
||
|
|
# length.
|
||
|
|
#string_max_size: 200
|
||
|
|
|
||
|
|
# The maximum number of elements in a Thrift list, set, map, or structure.
|
||
|
|
#collection_max_size: 15
|
||
|
|
|
||
|
|
# If this option is set to false, Packetbeat decodes the method name from the
|
||
|
|
# reply and simply skips the rest of the response message.
|
||
|
|
#capture_reply: true
|
||
|
|
|
||
|
|
# If this option is set to true, Packetbeat replaces all strings found in
|
||
|
|
# method parameters, return codes, or exception structures with the "*"
|
||
|
|
# string.
|
||
|
|
#obfuscate_strings: false
|
||
|
|
|
||
|
|
# The maximum number of fields that a structure can have before Packetbeat
|
||
|
|
# ignores the whole transaction.
|
||
|
|
#drop_after_n_struct_fields: 500
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: mongodb
|
||
|
|
# Enable mongodb monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for MongoDB traffic. You can disable
|
||
|
|
# the MongoDB protocol by commenting out the list of ports.
|
||
|
|
ports: [27017]
|
||
|
|
|
||
|
|
|
||
|
|
# The maximum number of documents from the response to index in the `response`
|
||
|
|
# field. The default is 10.
|
||
|
|
#max_docs: 10
|
||
|
|
|
||
|
|
# The maximum number of characters in a single document indexed in the
|
||
|
|
# `response` field. The default is 5000. You can set this to 0 to index an
|
||
|
|
# unlimited number of characters per document.
|
||
|
|
#max_doc_length: 5000
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: nfs
|
||
|
|
# Enable NFS monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for NFS traffic. You can disable
|
||
|
|
# the NFS protocol by commenting out the list of ports.
|
||
|
|
ports: [2049]
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the request (`request` field)
|
||
|
|
# is sent to Elasticsearch. The default is false.
|
||
|
|
#send_request: false
|
||
|
|
|
||
|
|
# If this option is enabled, the raw message of the response (`response`
|
||
|
|
# field) is sent to Elasticsearch. The default is false.
|
||
|
|
#send_response: false
|
||
|
|
|
||
|
|
# Transaction timeout. Expired transactions will no longer be correlated to
|
||
|
|
# incoming responses, but sent to Elasticsearch immediately.
|
||
|
|
#transaction_timeout: 10s
|
||
|
|
|
||
|
|
- type: tls
|
||
|
|
# Enable TLS monitoring. Default: true
|
||
|
|
#enabled: true
|
||
|
|
|
||
|
|
# Configure the ports where to listen for TLS traffic. You can disable
|
||
|
|
# the TLS protocol by commenting out the list of ports.
|
||
|
|
ports: [443]
|
||
|
|
|
||
|
|
# If this option is enabled, the client and server certificates and
|
||
|
|
# certificate chains are sent to Elasticsearch. The default is true.
|
||
|
|
#send_certificates: true
|
||
|
|
|
||
|
|
# If this option is enabled, the raw certificates will be stored
|
||
|
|
# in PEM format under the `raw` key. The default is false.
|
||
|
|
#include_raw_certificates: false
|
||
|
|
|
||
|
|
#=========================== Monitored processes ==============================
|
||
|
|
|
||
|
|
# Configure the processes to be monitored and how to find them. If a process is
|
||
|
|
# monitored then Packetbeat attempts to use it's name to fill in the `proc` and
|
||
|
|
# `client_proc` fields.
|
||
|
|
# The processes can be found by searching their command line by a given string.
|
||
|
|
#
|
||
|
|
# Process matching is optional and can be enabled by uncommenting the following
|
||
|
|
# lines.
|
||
|
|
#
|
||
|
|
#packetbeat.procs:
|
||
|
|
# enabled: false
|
||
|
|
# monitored:
|
||
|
|
# - process: mysqld
|
||
|
|
# cmdline_grep: mysqld
|
||
|
|
#
|
||
|
|
# - process: pgsql
|
||
|
|
# cmdline_grep: postgres
|
||
|
|
#
|
||
|
|
# - process: nginx
|
||
|
|
# cmdline_grep: nginx
|
||
|
|
#
|
||
|
|
# - process: app
|
||
|
|
# cmdline_grep: gunicorn
|
||
|
|
|
||
|
|
# Uncomment the following if you want to ignore transactions created
|
||
|
|
# by the server on which the shipper is installed. This option is useful
|
||
|
|
# to remove duplicates if shippers are installed on multiple servers.
|
||
|
|
#packetbeat.ignore_outgoing: true
|