1364 lines
47 KiB
Text
1364 lines
47 KiB
Text
|
[[configuration-interfaces]]
|
|||
|
== Set traffic capturing options
|
|||
|
|
|||
|
There are two main ways of deploying Packetbeat:
|
|||
|
|
|||
|
* On dedicated servers, getting the traffic from mirror ports or tap devices.
|
|||
|
|
|||
|
* On your existing application servers.
|
|||
|
|
|||
|
The first option has the big advantage that there is no overhead of any kind on
|
|||
|
your application servers. But it requires dedicated networking gear, which is
|
|||
|
generally not available on cloud setups.
|
|||
|
|
|||
|
In both cases, the sniffing performance (reading packets passively from the network)
|
|||
|
is very important. In the case of a dedicated server, better
|
|||
|
sniffing performance means that less hardware is required. When Packetbeat is installed
|
|||
|
on an existing application server, better sniffing performance means less overhead.
|
|||
|
|
|||
|
Currently Packetbeat has several options for traffic capturing:
|
|||
|
|
|||
|
* `pcap`, which uses the libpcap library and works on most platforms, but
|
|||
|
it's not the fastest option.
|
|||
|
* `af_packet`, which uses memory mapped sniffing. This option is faster than libpcap
|
|||
|
and doesn't require a kernel module, but it's Linux-specific.
|
|||
|
|
|||
|
The `af_packet` option, also known as "memory-mapped sniffing," makes use of a
|
|||
|
Linux-specific
|
|||
|
http://lxr.free-electrons.com/source/Documentation/networking/packet_mmap.txt[feature].
|
|||
|
This could be the optimal sniffing mode for both the dedicated server and
|
|||
|
when Packetbeat is deployed on an existing application server.
|
|||
|
|
|||
|
The way it works is that both the kernel and the user space program map the
|
|||
|
same memory zone, and a simple circular buffer is organized in this memory zone.
|
|||
|
The kernel writes packets into the circular buffer, and the user space program
|
|||
|
reads from it. The poll system call is used for getting a notification for the
|
|||
|
first packet available, but the remaining available packets can be simply read
|
|||
|
via memory access.
|
|||
|
|
|||
|
The `af_packet` sniffer can be further tuned to use more memory in exchange for
|
|||
|
better performance. The larger the size of the circular buffer, the fewer
|
|||
|
system calls are needed, which means that fewer CPU cycles are consumed. The default size
|
|||
|
of the buffer is 30 MB, but you can increase it like this:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: eth0
|
|||
|
packetbeat.interfaces.type: af_packet
|
|||
|
packetbeat.interfaces.buffer_size_mb: 100
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
[float]
|
|||
|
=== Sniffing configuration options
|
|||
|
|
|||
|
You can specify the following options in the `packetbeat.interfaces` section
|
|||
|
of the +{beatname_lc}.yml+ config file. Here is an example configuration:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: any
|
|||
|
packetbeat.interfaces.snaplen: 1514
|
|||
|
packetbeat.interfaces.type: af_packet
|
|||
|
packetbeat.interfaces.buffer_size_mb: 100
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
[float]
|
|||
|
==== `device`
|
|||
|
|
|||
|
The network device to capture traffic from. The specified device is set automatically to promiscuous mode,
|
|||
|
meaning that Packetbeat can capture traffic from other hosts on the same LAN.
|
|||
|
|
|||
|
Example:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: eth0
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
On Linux, you can specify `any` for the device, and Packetbeat captures all
|
|||
|
messages sent or received by the server where Packetbeat is installed.
|
|||
|
|
|||
|
NOTE: When you specify `any` for the device, the interfaces are not set
|
|||
|
to promiscuous mode.
|
|||
|
|
|||
|
The `device` option also accepts specifying the device by its index in the list of
|
|||
|
devices available for sniffing. To obtain the list of available devices,
|
|||
|
run Packetbeat with the following command:
|
|||
|
|
|||
|
["source","sh",subs="attributes,callouts"]
|
|||
|
----------------------------------------------------------------------
|
|||
|
packetbeat devices
|
|||
|
----------------------------------------------------------------------
|
|||
|
|
|||
|
This command returns a list that looks something like the following:
|
|||
|
|
|||
|
["source","sh",subs="attributes,callouts"]
|
|||
|
----------------------------------------------------------------------
|
|||
|
0: en0 (No description available)
|
|||
|
1: awdl0 (No description available)
|
|||
|
2: bridge0 (No description available)
|
|||
|
3: fw0 (No description available)
|
|||
|
4: en1 (No description available)
|
|||
|
5: en2 (No description available)
|
|||
|
6: p2p0 (No description available)
|
|||
|
7: en4 (No description available)
|
|||
|
8: lo0 (No description available)
|
|||
|
----------------------------------------------------------------------
|
|||
|
|
|||
|
The following example sets up sniffing on the
|
|||
|
first interface in the list:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: 0
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
Specifying the index is especially useful on Windows where device names can be long.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `snaplen`
|
|||
|
|
|||
|
The maximum size of the packets to capture. The
|
|||
|
default is 65535, which is large enough for almost all networks and interface
|
|||
|
types. If you sniff on a physical network interface, the optimal setting is
|
|||
|
the MTU size. On virtual interfaces, however, it's safer to accept the default value.
|
|||
|
|
|||
|
Example:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: eth0
|
|||
|
packetbeat.interfaces.snaplen: 1514
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
[float]
|
|||
|
==== `type`
|
|||
|
|
|||
|
Packetbeat supports three sniffer types:
|
|||
|
|
|||
|
* `pcap`, which uses the libpcap library and works on most platforms, but
|
|||
|
it's not the fastest option.
|
|||
|
* `af_packet`, which uses memory-mapped sniffing. This option is faster than libpcap
|
|||
|
and doesn't require a kernel module, but it's Linux-specific.
|
|||
|
|
|||
|
The default sniffer type is `pcap`.
|
|||
|
|
|||
|
Here is an example configuration that specifies
|
|||
|
the `af_packet` sniffing type:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: eth0
|
|||
|
packetbeat.interfaces.type: af_packet
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
On Linux, if you are trying to optimize the CPU usage of Packetbeat, we
|
|||
|
recommend trying the `af_packet` option.
|
|||
|
|
|||
|
If you use the `af_packet` sniffer, you can tune its behaviour by specifying the
|
|||
|
following options:
|
|||
|
|
|||
|
[float]
|
|||
|
==== `buffer_size_mb`
|
|||
|
|
|||
|
The maximum size of the shared memory buffer to use
|
|||
|
between the kernel and user space. A bigger buffer usually results in lower CPU
|
|||
|
usage, but consumes more memory. This setting is only available for the
|
|||
|
`af_packet` sniffer type. The default is 30 MB.
|
|||
|
|
|||
|
Example:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: eth0
|
|||
|
packetbeat.interfaces.type: af_packet
|
|||
|
packetbeat.interfaces.buffer_size_mb: 100
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
[float]
|
|||
|
==== `with_vlans`
|
|||
|
|
|||
|
Packetbeat automatically generates a
|
|||
|
https://en.wikipedia.org/wiki/Berkeley_Packet_Filter[BPF] for capturing only
|
|||
|
the traffic on ports where it expects to find known protocols.
|
|||
|
For example, if you have configured port 80 for HTTP and port 3306 for MySQL,
|
|||
|
Packetbeat generates the following BPF filter: `"port 80 or port 3306"`.
|
|||
|
|
|||
|
However, if the traffic contains https://en.wikipedia.org/wiki/IEEE_802.1Q[VLAN]
|
|||
|
tags, the filter that Packetbeat generates is ineffective because the
|
|||
|
offset is moved by four bytes. To fix this, you can enable the `with_vlans` option, which
|
|||
|
generates a BPF filter that looks like this: `"port 80 or port 3306 or (vlan and (port 80 or port 3306))"`.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `bpf_filter`
|
|||
|
|
|||
|
Packetbeat automatically generates a
|
|||
|
https://en.wikipedia.org/wiki/Berkeley_Packet_Filter[BPF] for capturing only
|
|||
|
the traffic on ports where it expects to find known protocols.
|
|||
|
For example, if you have configured port 80 for HTTP and port 3306 for MySQL,
|
|||
|
Packetbeat generates the following BPF filter: `"port 80 or port 3306"`.
|
|||
|
|
|||
|
You can use the `bpf_filter` setting to overwrite the generated BPF filter. For example:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.interfaces.device: eth0
|
|||
|
packetbeat.interfaces.bpf_filter: "net 192.168.238.0/0 and port 80 or port 3306"
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
NOTE: This setting disables automatic generation of the BPF filter. If
|
|||
|
you use this setting, it's your responsibility to keep the BPF filters in sync with the
|
|||
|
ports defined in the `protocols` section.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `ignore_outgoing`
|
|||
|
|
|||
|
If the `ignore_outgoing` option is enabled, Packetbeat ignores all the
|
|||
|
transactions initiated from the server running Packetbeat.
|
|||
|
|
|||
|
This is useful when two Packetbeat instances publish the same transactions. Because one Packetbeat
|
|||
|
sees the transaction in its outgoing queue and the other sees it in its incoming
|
|||
|
queue, you can end up with duplicate transactions. To remove the duplicates, you
|
|||
|
can enable the `packetbeat.ignore_outgoing` option on one of the servers.
|
|||
|
|
|||
|
For example, in the following scenario, you see a 3-server architecture
|
|||
|
where a Beat is installed on each server. t1 is the transaction exchanged between
|
|||
|
Server1 and Server2, and t2 is the transaction between Server2 and Server3.
|
|||
|
|
|||
|
image:./images/option_ignore_outgoing.png[Beats Architecture]
|
|||
|
|
|||
|
By default, each transaction is indexed twice because Beat2
|
|||
|
sees both transactions. So you would see the following published transactions
|
|||
|
(when `ignore_outgoing` is false):
|
|||
|
|
|||
|
- Beat1: t1
|
|||
|
- Beat2: t1 and t2
|
|||
|
- Beat3: t2
|
|||
|
|
|||
|
To avoid duplicates, you can force your Beats to send only the incoming
|
|||
|
transactions and ignore the transactions created by the local server. So you would
|
|||
|
see the following published transactions (when `ignore_outgoing` is true):
|
|||
|
|
|||
|
- Beat1: none
|
|||
|
- Beat2: t1
|
|||
|
- Beat3: t2
|
|||
|
|
|||
|
|
|||
|
[[configuration-flows]]
|
|||
|
== Set up flows to monitor network traffic
|
|||
|
|
|||
|
You can configure Packetbeat to collect and report statistics on network flows.
|
|||
|
A _flow_ is a group of packets sent over the same time period that share
|
|||
|
common properties, such as the same source and destination address and protocol.
|
|||
|
You can use this feature to analyze network traffic over specific protocols on
|
|||
|
your network.
|
|||
|
|
|||
|
For each flow, Packetbeat reports the number of packets and the total number of
|
|||
|
bytes sent from the source to the destination. Each flow event also contains
|
|||
|
information about the source and destination hosts, such as their IP address.
|
|||
|
For bi-directional flows, Packetbeat reports statistics for the reverse flow.
|
|||
|
|
|||
|
Packetbeat collects and reports statistics up to and including the transport
|
|||
|
layer. See <<exported-fields-flows_event>> for more info about the exported
|
|||
|
data.
|
|||
|
|
|||
|
Here's an example of flow events visualized in the Flows dashboard:
|
|||
|
|
|||
|
image:./images/flows.png[]
|
|||
|
|
|||
|
To configure flows, use the `packetbeat.flows` option in the +{beatname_lc}.yml+
|
|||
|
config file. Flows are enabled by default. If this section is missing
|
|||
|
from the configuration file, network flows are disabled.
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
packetbeat.flows:
|
|||
|
timeout: 30s
|
|||
|
period: 10s
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
|
|||
|
Here’s an example of a flow information sent by Packetbeat. See
|
|||
|
<<exported-fields-flows_event>> for a description of each field.
|
|||
|
|
|||
|
["source","json",subs="attributes"]
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
{
|
|||
|
"@timestamp": "2017-05-03T19:42:40.003Z",
|
|||
|
"beat": {
|
|||
|
"hostname": "host.example.com",
|
|||
|
"name": "host.example.com",
|
|||
|
"version": "{stack-version}"
|
|||
|
},
|
|||
|
"connection_id": "AQAAAAAAAAA=",
|
|||
|
"dest": {
|
|||
|
"ip": "192.0.2.0",
|
|||
|
"mac": "fe:ff:20:00:01:00",
|
|||
|
"port": 80,
|
|||
|
"stats": {
|
|||
|
"net_bytes_total": 19236,
|
|||
|
"net_packets_total": 16
|
|||
|
}
|
|||
|
},
|
|||
|
"final": false, <1>
|
|||
|
"flow_id": "EQwA////DP//////FBgBAAEAAAEAAAD+/yAAAQCR/qDtQdDk3ywNUAABAAAAAAAAAA",
|
|||
|
"last_time": "2017-05-03T19:42:24.151Z",
|
|||
|
"source": {
|
|||
|
"ip": "203.0.113.0",
|
|||
|
"mac": "00:00:01:00:00:00",
|
|||
|
"port": 3372,
|
|||
|
"stats": {
|
|||
|
"net_bytes_total": 1243,
|
|||
|
"net_packets_total": 14
|
|||
|
}
|
|||
|
},
|
|||
|
"start_time": "2017-05-03T19:42:24.151Z",
|
|||
|
"transport": "tcp",
|
|||
|
"type": "flow"
|
|||
|
}
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
|
|||
|
<1> Packetbeat sets the `final` flag to `false` to indicate that the event
|
|||
|
contains an intermediate report about a flow that it's tracking. When the flow
|
|||
|
completes, Packetbeat sends one last event with `final` set to `true`. If you
|
|||
|
want to aggregate sums of traffic, you need to filter on `final:true`, or use
|
|||
|
some other technique, so that you get only the latest update from each flow.
|
|||
|
You can disable intermediate reports by setting `period: -1s`.
|
|||
|
|
|||
|
[float]
|
|||
|
=== Configuration options
|
|||
|
|
|||
|
You can specify the following options in the `packetbeat.flows` section of
|
|||
|
the +{beatname_lc}.yml+ config file:
|
|||
|
|
|||
|
[float]
|
|||
|
==== `enabled`
|
|||
|
|
|||
|
Enables flows support if set to true. Set to false to disable network flows
|
|||
|
support without having to delete or comment out the flows section. The default
|
|||
|
value is true.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `timeout`
|
|||
|
|
|||
|
Timeout configures the lifetime of a flow. If no packets have been received for
|
|||
|
a flow within the timeout time window, the flow is killed and reported. The
|
|||
|
default value is 30s.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `period`
|
|||
|
|
|||
|
Configure the reporting interval. All flows are reported at the very same point
|
|||
|
in time. Periodical reporting can be disabled by setting the value to -1. If
|
|||
|
disabled, flows are still reported once being timed out. The default value is
|
|||
|
10s.
|
|||
|
|
|||
|
[float]
|
|||
|
[[packetbeat-configuration-flows-fields]]
|
|||
|
==== `fields`
|
|||
|
|
|||
|
Optional fields that you can specify to add additional information to the
|
|||
|
output. For example, you might add fields that you can use for filtering log
|
|||
|
data. Fields can be scalar values, arrays, dictionaries, or any nested
|
|||
|
combination of these. By default, the fields that you specify here will be
|
|||
|
grouped under a `fields` sub-dictionary in the output document. To store the
|
|||
|
custom fields as top-level fields, set the `fields_under_root` option to true.
|
|||
|
If a duplicate field is declared in the general configuration, then its value
|
|||
|
will be overwritten by the value declared here.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `fields_under_root`
|
|||
|
|
|||
|
If this option is set to true, the custom <<packetbeat-configuration-flows-fields,fields>>
|
|||
|
are stored as top-level fields in the output document instead of being grouped
|
|||
|
under a `fields` sub-dictionary. If the custom field names conflict with other
|
|||
|
field names added by Packetbeat, then the custom fields overwrite the other
|
|||
|
fields.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `tags`
|
|||
|
|
|||
|
A list of tags that will be sent with the protocol event. This setting is optional.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `processors`
|
|||
|
|
|||
|
A list of processors to apply to the data generated by the protocol.
|
|||
|
|
|||
|
See <<filtering-and-enhancing-data>> for information about specifying
|
|||
|
processors in your config.
|
|||
|
|
|||
|
|
|||
|
[[configuration-protocols]]
|
|||
|
== Specify which transaction protocols to monitor
|
|||
|
|
|||
|
The `packetbeat.protocols` section of the +{beatname_lc}.yml+ config file
|
|||
|
contains configuration options for each supported protocol, including common
|
|||
|
options like `enabled`, `ports`, `send_request`, `send_response`, and options
|
|||
|
that are protocol-specific.
|
|||
|
|
|||
|
Currently, Packetbeat supports the following protocols:
|
|||
|
|
|||
|
include::./shared-protocol-list.asciidoc[]
|
|||
|
|
|||
|
Example configuration:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
|
|||
|
- type: icmp
|
|||
|
enabled: true
|
|||
|
|
|||
|
- type: dhcpv4
|
|||
|
ports: [67, 68]
|
|||
|
|
|||
|
- type: dns
|
|||
|
ports: [53]
|
|||
|
|
|||
|
- type: http
|
|||
|
ports: [80, 8080, 8000, 5000, 8002]
|
|||
|
|
|||
|
- type: amqp
|
|||
|
ports: [5672]
|
|||
|
|
|||
|
- type: cassandra
|
|||
|
ports: [9042]
|
|||
|
|
|||
|
- type: memcache
|
|||
|
ports: [11211]
|
|||
|
|
|||
|
- type: mysql
|
|||
|
ports: [3306]
|
|||
|
|
|||
|
- type: redis
|
|||
|
ports: [6379]
|
|||
|
|
|||
|
- type: pgsql
|
|||
|
ports: [5432]
|
|||
|
|
|||
|
- type: thrift
|
|||
|
ports: [9090]
|
|||
|
|
|||
|
- type: tls
|
|||
|
ports: [443]
|
|||
|
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
[[common-protocol-options]]
|
|||
|
=== Common protocol options
|
|||
|
|
|||
|
The following options are available for all protocols:
|
|||
|
|
|||
|
[float]
|
|||
|
==== `enabled`
|
|||
|
|
|||
|
The enabled setting is a boolean setting to enable or disable protocols without having to comment out configuration sections. If set to false, the protocol is disabled.
|
|||
|
|
|||
|
The default value is true.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `ports`
|
|||
|
|
|||
|
Exception: For ICMP the option `enabled` has to be used instead.
|
|||
|
|
|||
|
The ports where Packetbeat will look to capture traffic for specific
|
|||
|
protocols. Packetbeat installs a https://en.wikipedia.org/wiki/Berkeley_Packet_Filter[BPF]
|
|||
|
filter based on the ports specified in this section.
|
|||
|
If a packet doesn't match the filter, very little CPU is required to discard
|
|||
|
the packet. Packetbeat also uses the ports specified here to determine which
|
|||
|
parser to use for each packet.
|
|||
|
|
|||
|
[float]
|
|||
|
[[send-request-option]]
|
|||
|
==== `send_request`
|
|||
|
|
|||
|
If this option is enabled, the raw message of the request (`request` field) is
|
|||
|
sent to Elasticsearch. The default is false. This option is useful when you want to
|
|||
|
index the whole request. Note that for HTTP, the body is not included by
|
|||
|
default, only the HTTP headers.
|
|||
|
|
|||
|
[float]
|
|||
|
[[send-response-option]]
|
|||
|
==== `send_response`
|
|||
|
|
|||
|
If this option is enabled, the raw message of the response (`response` field)
|
|||
|
is sent to Elasticsearch. The default is false. This option is useful when you
|
|||
|
want to index the whole response. Note that for HTTP, the body is not included
|
|||
|
by default, only the HTTP headers.
|
|||
|
|
|||
|
[float]
|
|||
|
[[transaction-timeout-option]]
|
|||
|
==== `transaction_timeout`
|
|||
|
|
|||
|
The per protocol transaction timeout. Expired transactions will no longer be correlated to incoming responses, but sent to Elasticsearch immediately.
|
|||
|
|
|||
|
[float]
|
|||
|
[[packetbeat-configuration-fields]]
|
|||
|
==== `fields`
|
|||
|
|
|||
|
Optional fields that you can specify to add additional information to the
|
|||
|
output. For example, you might add fields that you can use for filtering log
|
|||
|
data. Fields can be scalar values, arrays, dictionaries, or any nested
|
|||
|
combination of these. By default, the fields that you specify here will be
|
|||
|
grouped under a `fields` sub-dictionary in the output document. To store the
|
|||
|
custom fields as top-level fields, set the `fields_under_root` option to true.
|
|||
|
If a duplicate field is declared in the general configuration, then its value
|
|||
|
will be overwritten by the value declared here.
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: http
|
|||
|
ports: [80]
|
|||
|
fields:
|
|||
|
service_id: nginx
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
|
|||
|
[float]
|
|||
|
[[packetbeat-fields-under-root]]
|
|||
|
==== `fields_under_root`
|
|||
|
|
|||
|
If this option is set to true, the custom <<packetbeat-configuration-fields,fields>>
|
|||
|
are stored as top-level fields in the output document instead of being grouped
|
|||
|
under a `fields` sub-dictionary. If the custom field names conflict with other
|
|||
|
field names added by Packetbeat, then the custom fields overwrite the other
|
|||
|
fields.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `tags`
|
|||
|
|
|||
|
A list of tags that will be sent with the transaction event. This setting is optional.
|
|||
|
|
|||
|
[float]
|
|||
|
==== `processors`
|
|||
|
|
|||
|
A list of processors to apply to the data generated by the protocol.
|
|||
|
|
|||
|
See <<filtering-and-enhancing-data>> for information about specifying
|
|||
|
processors in your config.
|
|||
|
|
|||
|
[[packetbeat-icmp-options]]
|
|||
|
=== Capture ICMP traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>ICMP</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The `icmp` section of the +{beatname_lc}.yml+ config file specifies options for
|
|||
|
the ICMP protocol. Here is a sample configuration section for ICMP:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
|
|||
|
- type: icmp
|
|||
|
enabled: true
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `enabled`
|
|||
|
|
|||
|
The ICMP protocol can be enabled/disabled via this option. The default is true.
|
|||
|
|
|||
|
If enabled Packetbeat will generate the following BPF filter: `"icmp or icmp6"`.
|
|||
|
|
|||
|
[[packetbeat-dns-options]]
|
|||
|
=== Capture DNS traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>DNS</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The `dns` section of the +{beatname_lc}.yml+ config file specifies configuration options for the DNS protocol. The DNS protocol supports processing DNS messages on TCP and UDP. Here is a sample configuration section for DNS:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: dns
|
|||
|
ports: [53]
|
|||
|
include_authorities: true
|
|||
|
include_additionals: true
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `include_authorities`
|
|||
|
|
|||
|
If this option is enabled, dns.authority fields (authority resource records) are added to DNS events.
|
|||
|
The default is false.
|
|||
|
|
|||
|
===== `include_additionals`
|
|||
|
|
|||
|
If this option is enabled, dns.additionals fields (additional resource records) are added to DNS events.
|
|||
|
The default is false.
|
|||
|
|
|||
|
[[packetbeat-http-options]]
|
|||
|
=== Capture HTTP traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>HTTP</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The HTTP protocol has several specific configuration options. Here is a
|
|||
|
sample configuration for the `http` section of the +{beatname_lc}.yml+ config file:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: http
|
|||
|
ports: [80, 8080, 8000, 5000, 8002]
|
|||
|
hide_keywords: ["pass", "password", "passwd"]
|
|||
|
send_headers: ["User-Agent", "Cookie", "Set-Cookie"]
|
|||
|
split_cookie: true
|
|||
|
real_ip_header: "X-Forwarded-For"
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `hide_keywords`
|
|||
|
|
|||
|
A list of query parameters that Packetbeat will automatically censor in
|
|||
|
the transactions that it saves. The values associated with these parameters are replaced
|
|||
|
by `'xxxxx'`. By default, no changes are made to the HTTP messages.
|
|||
|
|
|||
|
Packetbeat has this option because, unlike SQL traffic, which typically only contains the
|
|||
|
hashes of the passwords, HTTP traffic may contain sensitive data. To reduce security risks,
|
|||
|
you can configure this option to avoid sending the contents of certain HTTP POST
|
|||
|
parameters.
|
|||
|
|
|||
|
WARNING: This option replaces query parameters from GET requests and top-level
|
|||
|
parameters from POST requests. If sensitive data is encoded inside a
|
|||
|
parameter that you don't specify here, Packetbeat cannot censor it. Also, note that if
|
|||
|
you configure Packetbeat to save the raw request and response fields (see the <<send-request-option>>
|
|||
|
and the <<send-response-option>> options), sensitive data may be present in those
|
|||
|
fields.
|
|||
|
|
|||
|
===== `redact_authorization`
|
|||
|
|
|||
|
When this option is enabled, Packetbeat obscures the value of
|
|||
|
`Authorization` and `Proxy-Authorization` HTTP headers, and censors
|
|||
|
those strings in the response.
|
|||
|
|
|||
|
You should set this option to true for transactions that use Basic Authentication because
|
|||
|
they may contain the base64 unencrypted username and password.
|
|||
|
|
|||
|
===== `send_headers`
|
|||
|
|
|||
|
A list of header names to capture and send to Elasticsearch. These
|
|||
|
headers are placed under the `headers` dictionary in the resulting JSON.
|
|||
|
|
|||
|
===== `send_all_headers`
|
|||
|
|
|||
|
Instead of sending a white list of headers to Elasticsearch, you can
|
|||
|
send all headers by setting this option to true. The default is false.
|
|||
|
|
|||
|
===== `include_body_for`
|
|||
|
|
|||
|
The list of content types for which Packetbeat exports the full HTTP payload. The HTTP body is available under
|
|||
|
`http.request.body` and `http.response.body` for these Content-Types.
|
|||
|
|
|||
|
In addition, if <<send-response-option>> option is enabled, then the HTTP body is exported together with the HTTP
|
|||
|
headers under `response` and if
|
|||
|
<<send-request-option>> enabled, then `request` contains the entire HTTP message including the body.
|
|||
|
|
|||
|
In the following example, the HTML attachments of the HTTP responses are exported under the `response` field and under
|
|||
|
`http.request.body` or `http.response.body`:
|
|||
|
|
|||
|
[source,yml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: http
|
|||
|
ports: [80, 8080]
|
|||
|
send_response: true
|
|||
|
include_body_for: ["text/html"]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
===== `split_cookie`
|
|||
|
|
|||
|
If the `Cookie` or `Set-Cookie` headers are sent, this option controls whether
|
|||
|
they are split into individual values. For example, with this option set, an
|
|||
|
HTTP response might result in the following JSON:
|
|||
|
|
|||
|
[source,json]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
"response": {
|
|||
|
"code": 200,
|
|||
|
"headers": {
|
|||
|
"connection": "close",
|
|||
|
"content-language": "en",
|
|||
|
"content-type": "text/html; charset=utf-8",
|
|||
|
"date": "Fri, 21 Nov 2014 17:07:34 GMT",
|
|||
|
"server": "gunicorn/19.1.1",
|
|||
|
"set-cookie": { <1>
|
|||
|
"csrftoken": "S9ZuJF8mvIMT5CL4T1Xqn32wkA6ZSeyf",
|
|||
|
"expires": "Fri, 20-Nov-2015 17:07:34 GMT",
|
|||
|
"max-age": "31449600",
|
|||
|
"path": "/"
|
|||
|
},
|
|||
|
"vary": "Cookie, Accept-Language"
|
|||
|
},
|
|||
|
"phrase": "OK"
|
|||
|
}
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
<1> Note that `set-cookie` is a map containing the cookie names as keys.
|
|||
|
|
|||
|
The default is false.
|
|||
|
|
|||
|
===== `real_ip_header`
|
|||
|
|
|||
|
The header field to extract the real IP from. This setting is useful when
|
|||
|
you want to capture traffic behind a reverse proxy, but you want to get the geo-location
|
|||
|
information. If this header is present and contains a valid IP addresses, the
|
|||
|
information is used for the `real_ip` field.
|
|||
|
|
|||
|
===== `max_message_size`
|
|||
|
|
|||
|
If an individual HTTP message is larger than this setting (in bytes), it will be trimmed
|
|||
|
to this size. Unless this value is very small (<1.5K), Packetbeat is able to still correctly
|
|||
|
follow the transaction and create an event for it. The default is 10485760 (10 MB).
|
|||
|
|
|||
|
[[packetbeat-amqp-options]]
|
|||
|
=== Capture AMQP traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>AMQP</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The `amqp` section of the +{beatname_lc}.yml+ config file specifies configuration options for the AMQP 0.9.1
|
|||
|
protocol. Here is a sample configuration:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: amqp
|
|||
|
ports: [5672]
|
|||
|
max_body_length: 1000
|
|||
|
parse_headers: true
|
|||
|
parse_arguments: false
|
|||
|
hide_connection_information: true
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `max_body_length`
|
|||
|
|
|||
|
The maximum size in bytes of the message displayed in the request or response fields.
|
|||
|
Messages that are bigger than the specified size are truncated. Use this option to
|
|||
|
avoid publishing huge messages when <<send-request-option>> or <<send-request-option>>
|
|||
|
is enabled. The default is 1000 bytes.
|
|||
|
|
|||
|
===== `parse_headers`
|
|||
|
|
|||
|
If set to true, Packetbeat parses the additional arguments specified in the headers field
|
|||
|
of a message. Those arguments are key-value pairs that specify information such as the
|
|||
|
content type of the message or the message priority. The default is true.
|
|||
|
|
|||
|
===== `parse_arguments`
|
|||
|
|
|||
|
If set to true, Packetbeat parses the additional arguments specified in AMQP methods.
|
|||
|
Those arguments are key-value pairs specified by the user and can be of any length.
|
|||
|
The default is true.
|
|||
|
|
|||
|
===== `hide_connection_information`
|
|||
|
|
|||
|
If set to false, the connection layer methods of the protocol are also
|
|||
|
displayed, such as the opening and closing of connections and channels by clients,
|
|||
|
or the quality of service negotiation. The default is true.
|
|||
|
|
|||
|
|
|||
|
[[configuration-cassandra]]
|
|||
|
=== Capture Cassandra traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>Cassandra</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The following settings are specific to the Cassandra protocol. Here is a sample
|
|||
|
configuration for the `cassandra` section of the +{beatname_lc}.yml+ config file:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: cassandra
|
|||
|
send_request_header: true
|
|||
|
send_response_header: true
|
|||
|
compressor: "snappy"
|
|||
|
ignored_ops: ["SUPPORTED","OPTIONS"]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `send_request_header`
|
|||
|
|
|||
|
If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field)
|
|||
|
is sent to Elasticsearch. The default is true. enable `send_request` first before enable this option.
|
|||
|
|
|||
|
===== `send_response_header`
|
|||
|
|
|||
|
If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field)
|
|||
|
is included in published events. The default is true. enable `send_response` first before enable this option.
|
|||
|
|
|||
|
===== `ignored_ops`
|
|||
|
|
|||
|
This option indicates which Operator/Operators captured will be ignored. currently support:
|
|||
|
`ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` ,`OPTIONS` ,`SUPPORTED` ,
|
|||
|
`QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` ,`REGISTER` ,`EVENT` ,
|
|||
|
`BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` ,`AUTH_SUCCESS` .
|
|||
|
|
|||
|
===== `compressor`
|
|||
|
|
|||
|
Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured.
|
|||
|
By default no compressor is configured.
|
|||
|
|
|||
|
[[packetbeat-memcache-options]]
|
|||
|
=== Capture Memcache traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>Memcache</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The `memcache` section of the +{beatname_lc}.yml+ config file specifies configuration options for the memcache
|
|||
|
protocol. Here is a sample configuration section for memcache:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: memcache
|
|||
|
ports: [11211]
|
|||
|
parseunknown: false
|
|||
|
maxvalues: 0
|
|||
|
maxbytespervalue: 100
|
|||
|
transaction_timeout: 200
|
|||
|
udptransactiontimeout: 200
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `parseunknown`
|
|||
|
|
|||
|
When this option is enabled, it forces the memcache text protocol parser to accept unknown commands.
|
|||
|
|
|||
|
NOTE: The unknown commands MUST NOT contain a data part.
|
|||
|
|
|||
|
===== `maxvalues`
|
|||
|
|
|||
|
The maximum number of values to store in the message (multi-get).
|
|||
|
All values will be base64 encoded.
|
|||
|
|
|||
|
The possible settings for this option are:
|
|||
|
|
|||
|
* `maxvalue: -1`, which stores all values (text based protocol multi-get)
|
|||
|
* `maxvalue: 0`, which stores no values (default)
|
|||
|
* `maxvalue: N`, which stores up to N values
|
|||
|
|
|||
|
===== `maxbytespervalue`
|
|||
|
|
|||
|
The maximum number of bytes to be copied for each value element.
|
|||
|
|
|||
|
NOTE: Values will be base64 encoded, so the actual size in the JSON document will be 4 times the value that
|
|||
|
you specify for `maxbytespervalue`.
|
|||
|
|
|||
|
===== `udptransactiontimeout`
|
|||
|
|
|||
|
The transaction timeout in milliseconds. The defaults is 10000 milliseconds.
|
|||
|
|
|||
|
NOTE: Quiet messages in UDP binary protocol get responses only if there is an error.
|
|||
|
The memcache protocol analyzer will wait for the number of milliseconds specified by
|
|||
|
`udptransactiontimeout` before publishing quiet messages. Non-quiet messages or
|
|||
|
quiet requests with an error response are published immediately.
|
|||
|
|
|||
|
[[packetbeat-mysql-pgsql-options]]
|
|||
|
=== Capture MySQL and PgSQL traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>MySQL and PgSQL</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The `mysql` and `pgsql` sections of the +{beatname_lc}.yml+ config file specify configuration options for the MySQL
|
|||
|
and PgSQL protocols.
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
|
|||
|
- type: mysql
|
|||
|
ports: [3306]
|
|||
|
|
|||
|
- type: pgsql
|
|||
|
ports: [5432]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `max_rows`
|
|||
|
|
|||
|
The maximum number of rows from the SQL message to publish to Elasticsearch. The
|
|||
|
default is 10 rows.
|
|||
|
|
|||
|
|
|||
|
===== `max_row_length`
|
|||
|
|
|||
|
The maximum length in bytes of a row from the SQL message to publish to
|
|||
|
Elasticsearch. The default is 1024 bytes.
|
|||
|
|
|||
|
[[configuration-thrift]]
|
|||
|
=== Capture Thrift traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>Thrift</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
https://thrift.apache.org/[Apache Thrift] is a communication protocol and RPC
|
|||
|
framework initially created at Facebook. It is sometimes used in
|
|||
|
http://martinfowler.com/articles/microservices.html[microservices]
|
|||
|
architectures because it provides better performance when compared to the more
|
|||
|
obvious HTTP/RESTful API choice, while still supporting a wide range of
|
|||
|
programming languages and frameworks.
|
|||
|
|
|||
|
Packetbeat works based on a copy of the traffic, which means that you get
|
|||
|
performance management features without having to modify your services in
|
|||
|
any way and without any latency overhead. Packetbeat captures the transactions from the
|
|||
|
network and indexes them in Elasticsearch so that they can be analyzed and
|
|||
|
searched.
|
|||
|
|
|||
|
Packetbeat indexes the method, parameters, return value, and
|
|||
|
exceptions of each Thrift-RPC call. You can search by and create statistics
|
|||
|
based on any of these fields. Packetbeat automatically fills in the `status`
|
|||
|
column with either `OK` or `Error`, so it's easy to find the problematic RPC calls.
|
|||
|
A transaction is put into the `Error` state if it returned an exception.
|
|||
|
|
|||
|
Packetbeat also indexes the `responsetime` field so you can get performance
|
|||
|
analytics and find the slow RPC calls.
|
|||
|
|
|||
|
Here is an example performance dashboard:
|
|||
|
|
|||
|
image:./images/thrift-dashboard.png[Thrift-RPC dashboard]
|
|||
|
|
|||
|
|
|||
|
Thrift supports multiple http://en.wikipedia.org/wiki/Apache_Thrift[transport
|
|||
|
and protocol types]. Currently Packetbeat supports the default `TSocket`
|
|||
|
transport as well as the `TFramed` transport. From the protocol point of view,
|
|||
|
Packetbeat currently supports only the default `TBinary` protocol.
|
|||
|
|
|||
|
Packetbeat also has several configuration options that allow you to get
|
|||
|
the right balance between visibility, disk usage, and data protection. You can,
|
|||
|
for example, choose to obfuscate all strings or to store the requests but not
|
|||
|
the responses, while still capturing the response time for each of the RPC
|
|||
|
calls. You can also choose to limit the size of strings and lists to a given
|
|||
|
number of elements, so you can fine tune how much data you want to have stored in
|
|||
|
Elasticsearch.
|
|||
|
|
|||
|
The Thrift protocol has several specific configuration options. Here is an
|
|||
|
example configuration section for the Thrift protocol in the
|
|||
|
+{beatname_lc}.yml+ config file:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: thrift
|
|||
|
transport_type: socket
|
|||
|
protocol_type: binary
|
|||
|
idl_files: ["tutorial.thrift", "shared.thrift"]
|
|||
|
string_max_size: 200
|
|||
|
collection_max_size: 20
|
|||
|
capture_reply: true
|
|||
|
obfuscate_strings: true
|
|||
|
drop_after_n_struct_fields: 100
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
Providing the Thrift IDL files to Packetbeat is optional. The binary
|
|||
|
Thrift messages include the called method name and enough structural information
|
|||
|
to decode the messages without needing the IDL files. However, if you
|
|||
|
provide the IDL files, Packetbeat can also resolve the service name,
|
|||
|
arguments, and exception names.
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `transport_type`
|
|||
|
|
|||
|
The Thrift transport type. Currently this option accepts the values `socket`
|
|||
|
for TSocket, which is the default Thrift transport, and `framed` for the TFramed Thrift
|
|||
|
transport. The default is `socket`.
|
|||
|
|
|||
|
===== `protocol_type`
|
|||
|
|
|||
|
The Thrift protocol type. Currently the only accepted value is `binary` for
|
|||
|
the TBinary protocol, which is the default Thrift protocol.
|
|||
|
|
|||
|
===== `idl_files`
|
|||
|
|
|||
|
The Thrift interface description language (IDL) files for the service that
|
|||
|
Packetbeat is monitoring. Providing the IDL files is optional, because the Thrift
|
|||
|
messages contain enough information to decode them without having the IDL
|
|||
|
files. However, providing the IDL enables Packetbeat to include parameter and
|
|||
|
exception names.
|
|||
|
|
|||
|
===== `string_max_size`
|
|||
|
|
|||
|
The maximum length for strings in parameters or return values. If a string is longer than
|
|||
|
this value, the string is automatically truncated to this length. Packetbeat adds dots
|
|||
|
at the end of the string to mark that it was truncated. The default is 200.
|
|||
|
|
|||
|
===== `collection_max_size`
|
|||
|
|
|||
|
The maximum number of elements in a Thrift list, set, map, or structure. If a collection
|
|||
|
has more elements than this value, Packetbeat captures only the
|
|||
|
specified number of elements. Packetbeat adds a fictive last element `...` to the end
|
|||
|
of the collection to mark that it was truncated. The default is 15.
|
|||
|
|
|||
|
===== `capture_reply`
|
|||
|
|
|||
|
If this option is set to false, Packetbeat decodes the method name from
|
|||
|
the reply and simply skips the rest of the response message. This setting can be useful
|
|||
|
for performance, disk usage, or data retention reasons. The default is true.
|
|||
|
|
|||
|
===== `obfuscate_strings`
|
|||
|
|
|||
|
If this option is set to true, Packetbeat replaces all strings found in method parameters,
|
|||
|
return codes, or exception structures with the `"*"` string.
|
|||
|
|
|||
|
===== `drop_after_n_struct_fields`
|
|||
|
|
|||
|
The maximum number of fields that a structure can have before Packetbeat
|
|||
|
ignores the whole transaction. This is a memory protection mechanism (so that
|
|||
|
Packetbeat's memory doesn't grow indefinitely), so you would typically set this
|
|||
|
to a relatively high value. The default is 500.
|
|||
|
|
|||
|
|
|||
|
[[configuration-mongodb]]
|
|||
|
=== Capture MongoDB traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>MongoDB</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
The following settings are specific to the MongoDB protocol. Here is a sample
|
|||
|
configuration for the `mongodb` section of the +{beatname_lc}.yml+ config file:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: mongodb
|
|||
|
send_request: true
|
|||
|
send_response: true
|
|||
|
max_docs: 0
|
|||
|
max_doc_length: 0
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
The `max_docs` and `max_doc_length` settings are useful for limiting the amount
|
|||
|
of data Packetbeat indexes in the `response` fields.
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `max_docs`
|
|||
|
|
|||
|
The maximum number of documents from the response to index in the `response` field. The
|
|||
|
default is 10. You can set this to 0 to index an unlimited number of documents.
|
|||
|
|
|||
|
Packetbeat adds a `[...]` line at the end to signify that there were additional documents
|
|||
|
that weren't saved because of this setting.
|
|||
|
|
|||
|
===== `max_doc_length`
|
|||
|
|
|||
|
The maximum number of characters in a single document indexed in the `response`
|
|||
|
field. The default is 5000. You can set this to 0 to index an unlimited number
|
|||
|
of characters per document.
|
|||
|
|
|||
|
If the document is trimmed because of this setting, Packetbeat adds the string `...`
|
|||
|
at the end of the document.
|
|||
|
|
|||
|
Note that limiting documents in this way means that they are no longer correctly
|
|||
|
formatted JSON objects.
|
|||
|
|
|||
|
[[configuration-tls]]
|
|||
|
=== Capture TLS traffic
|
|||
|
|
|||
|
++++
|
|||
|
<titleabbrev>TLS</titleabbrev>
|
|||
|
++++
|
|||
|
|
|||
|
TLS is a cryptographic protocol that provides secure communications on top of
|
|||
|
an existing application protocol, like HTTP or MySQL.
|
|||
|
|
|||
|
Packetbeat intercepts the initial handshake in a TLS connection and extracts
|
|||
|
useful information which helps an operator to diagnose problems as well as
|
|||
|
strengthen the security of his or her network and systems. It does not
|
|||
|
decrypt any information from the encapsulated protocol nor does it reveal any
|
|||
|
sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 and
|
|||
|
SSL 3.0 are supported.
|
|||
|
|
|||
|
It works by intercepting the client and server "hello" messages, which contain
|
|||
|
the negotiated parameters for the connection such as cryptographic ciphers and
|
|||
|
protocol versions. It can also intercept TLS alerts, which are sent by one
|
|||
|
of the parties to signal a problem with the negotiation, such as an expired
|
|||
|
certificate or a cryptographic error.
|
|||
|
|
|||
|
An example of indexed event:
|
|||
|
|
|||
|
[source,json]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
"tls": {
|
|||
|
"handshake_completed": true,
|
|||
|
"server_certificate": {
|
|||
|
"version": 3,
|
|||
|
"issuer": {
|
|||
|
"organization": "GlobalSign nv-sa",
|
|||
|
"common_name": "GlobalSign CloudSSL CA - SHA256 - G3",
|
|||
|
"country": "BE"
|
|||
|
},
|
|||
|
"subject": {
|
|||
|
"organization": "Fastly, Inc.",
|
|||
|
"locality": "San Francisco",
|
|||
|
"province": "California",
|
|||
|
"common_name": "r2.shared.global.fastly.net",
|
|||
|
"country": "US"
|
|||
|
},
|
|||
|
"not_before": "2017-11-30T16:52:06.000Z",
|
|||
|
"not_after": "2018-11-09T20:51:05.000Z",
|
|||
|
"alternative_names": [
|
|||
|
"elastic.co"
|
|||
|
],
|
|||
|
"serial_number": "19260053873395556258503998518",
|
|||
|
"signature_algorithm": "SHA256-RSA",
|
|||
|
"public_key_algorithm": "RSA"
|
|||
|
},
|
|||
|
"server_certificate_chain": [
|
|||
|
{
|
|||
|
"not_after": "2025-08-19T00:00:00.000Z",
|
|||
|
"version": 3,
|
|||
|
"serial_number": "1438827024893517455116777811697460",
|
|||
|
"signature_algorithm": "SHA256-RSA",
|
|||
|
"public_key_algorithm": "RSA",
|
|||
|
"not_before": "2015-08-19T00:00:00.000Z",
|
|||
|
"issuer": {
|
|||
|
"organizational_unit": "Root CA",
|
|||
|
"common_name": "GlobalSign Root CA",
|
|||
|
"country": "BE",
|
|||
|
"organization": "GlobalSign nv-sa"
|
|||
|
},
|
|||
|
"subject": {
|
|||
|
"country": "BE",
|
|||
|
"organization": "GlobalSign nv-sa",
|
|||
|
"common_name": "GlobalSign CloudSSL CA - SHA256 - G3"
|
|||
|
}
|
|||
|
}
|
|||
|
],
|
|||
|
"resumed": false,
|
|||
|
"client_hello": {
|
|||
|
"extensions": {
|
|||
|
"server_name_indication": [
|
|||
|
"www.elastic.co"
|
|||
|
],
|
|||
|
"supported_groups": [
|
|||
|
"secp256r1",
|
|||
|
"secp384r1",
|
|||
|
"secp521r1"
|
|||
|
],
|
|||
|
"ec_points_formats": [
|
|||
|
"uncompressed"
|
|||
|
],
|
|||
|
"signature_algorithms": [
|
|||
|
"rsa_pkcs1_sha256",
|
|||
|
"rsa_pkcs1_sha1",
|
|||
|
[...]
|
|||
|
],
|
|||
|
"application_layer_protocol_negotiation": [
|
|||
|
"h2",
|
|||
|
"h2-16",
|
|||
|
[...]
|
|||
|
],
|
|||
|
},
|
|||
|
"version": "3.3",
|
|||
|
"supported_ciphers": [
|
|||
|
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
|
|||
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|||
|
[...]
|
|||
|
],
|
|||
|
"supported_compression_methods": [
|
|||
|
"NULL"
|
|||
|
]
|
|||
|
},
|
|||
|
"server_hello": {
|
|||
|
"extensions": {
|
|||
|
"ec_points_formats": [
|
|||
|
"uncompressed",
|
|||
|
"ansiX962_compressed_prime",
|
|||
|
"ansiX962_compressed_char2"
|
|||
|
],
|
|||
|
"application_layer_protocol_negotiation": [
|
|||
|
"h2"
|
|||
|
],
|
|||
|
},
|
|||
|
"version": "3.3",
|
|||
|
"selected_cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|||
|
"selected_compression_method": "NULL"
|
|||
|
},
|
|||
|
}
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
The `client_hello` contains the algorithms and extensions supported by the
|
|||
|
client, as well as the maximum TLS version it supports (3.3).
|
|||
|
|
|||
|
The `server_hello` contains the final settings for the TLS session: The
|
|||
|
selected cipher, compression method, TLS version to use and other extensions
|
|||
|
such as application layer protocol negotiation (ALPN).
|
|||
|
|
|||
|
The `resumed` key indicates if the session has been resumed (`true`) or
|
|||
|
a full handshake has been performed (`false`). When true, an additional field
|
|||
|
is present: `resumption_method` which is `id` if the session has been
|
|||
|
resumed using session IDs (stateful) or `ticket` if it has resumed using
|
|||
|
session tickets (stateless).
|
|||
|
|
|||
|
See the <<exported-fields-tls>> section for more detailed information.
|
|||
|
|
|||
|
The following settings are specific to the TLS protocol. Here is a sample
|
|||
|
configuration for the `tls` section of the +{beatname_lc}.yml+ config file:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.protocols:
|
|||
|
- type: tls
|
|||
|
send_certificates: true
|
|||
|
include_raw_certificates: true
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
==== Configuration options
|
|||
|
|
|||
|
The `send_certificates` and `include_raw_certificates` settings are useful
|
|||
|
for limiting the amount of data Packetbeat indexes, as multiple certificates
|
|||
|
are usually exchanged in a single transaction, and those can take a considerable
|
|||
|
amount of storage.
|
|||
|
|
|||
|
Also see <<common-protocol-options>>.
|
|||
|
|
|||
|
===== `send_certificates`
|
|||
|
|
|||
|
This setting causes the certificates presented by the client and server to be
|
|||
|
included in the event. The server's certificate is indexed in the
|
|||
|
`server_certificate` field and its certification chain in the
|
|||
|
`server_certificate_chain` field. For the client, the
|
|||
|
`client_certificate` and `client_certificate_chain` fields are used.
|
|||
|
|
|||
|
The default is true.
|
|||
|
|
|||
|
===== `include_raw_certificates`
|
|||
|
|
|||
|
When `send_certificates` is true, you can set `include_raw_certificates` to
|
|||
|
include the raw certificate encoded in PEM format as a `raw` field.
|
|||
|
|
|||
|
If `send_certificates` is false, this setting is ignored. The default is false.
|
|||
|
|
|||
|
[[configuration-processes]]
|
|||
|
== Specify which processes to monitor
|
|||
|
|
|||
|
This section of the +{beatname_lc}.yml+ config file is optional, but configuring
|
|||
|
the processes enables Packetbeat to show you not only the servers that the
|
|||
|
traffic is flowing between, but also the processes. Packetbeat can even show you
|
|||
|
the traffic between two processes running on the same host, which is particularly
|
|||
|
useful when you have many services running on the same server. By default,
|
|||
|
process matching is disabled.
|
|||
|
|
|||
|
When Packetbeat starts, and then periodically afterwards, it scans the process table for
|
|||
|
processes that match the configuration file. For each of these processes, it
|
|||
|
monitors which file descriptors it has opened. When a new packet is captured,
|
|||
|
it reads the list of active TCP and UDP connections and matches the corresponding one
|
|||
|
with the list of file descriptors.
|
|||
|
|
|||
|
All this information is available via system interfaces: The `/proc` file system
|
|||
|
in Linux and the IP Helper API (`iphlpapi.dll`) on Windows, so {beatname_uc}
|
|||
|
doesn't need a kernel module.
|
|||
|
|
|||
|
NOTE: Process monitoring is currently only supported on
|
|||
|
Linux and Windows systems. Packetbeat automatically disables
|
|||
|
process monitoring when it detects other operating systems.
|
|||
|
|
|||
|
Example configuration:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
------------------------------------------------------------------------------
|
|||
|
packetbeat.procs:
|
|||
|
enabled: true
|
|||
|
monitored:
|
|||
|
- process: mysqld
|
|||
|
cmdline_grep: mysqld
|
|||
|
|
|||
|
- process: pgsql
|
|||
|
cmdline_grep: postgres
|
|||
|
|
|||
|
- process: nginx
|
|||
|
cmdline_grep: nginx
|
|||
|
|
|||
|
- process: app
|
|||
|
cmdline_grep: gunicorn
|
|||
|
------------------------------------------------------------------------------
|
|||
|
|
|||
|
When the process monitor is enabled, it will enrich all the events whose source
|
|||
|
or destination is a local process. The `cmdline` and/or `client_cmdline` fields
|
|||
|
will be added to an event, when the server side or client side of the connection
|
|||
|
belong to a local process, respectively. Additionally, you can specify a pattern
|
|||
|
using the `cmdline_grep` option, to also name those processes. This will cause
|
|||
|
the `proc` and `client_proc` fields to be added to an event, with the name of
|
|||
|
the matched process.
|
|||
|
|
|||
|
[float]
|
|||
|
=== Configuration options
|
|||
|
|
|||
|
You can specify the following process monitoring options in the `monitored` section
|
|||
|
of the +{beatname_lc}.yml+ config file:
|
|||
|
|
|||
|
[float]
|
|||
|
==== `process`
|
|||
|
|
|||
|
The name of the process as it will appear in the published transactions. The name
|
|||
|
doesn't have to match the name of the executable, so feel free to choose something
|
|||
|
more descriptive (for example, "myapp" instead of "gunicorn").
|
|||
|
|
|||
|
[float]
|
|||
|
==== `cmdline_grep`
|
|||
|
|
|||
|
The name used to identify the process at run time. When Packetbeat starts, and then
|
|||
|
periodically afterwards, it scans the process table for
|
|||
|
processes that match the values specified for this option. The match is done against the
|
|||
|
process' command line as read from `/proc/<pid>/cmdline`.
|
|||
|
|
|||
|
|
|||
|
[float]
|
|||
|
[[shutdown-timeout]]
|
|||
|
==== `shutdown_timeout`
|
|||
|
|
|||
|
How long Packetbeat waits on shutdown. By default, this option is disabled. Packetbeat
|
|||
|
will wait for `shutdown_timeout` and then close. It will not track if all events were sent
|
|||
|
previously.
|
|||
|
|
|||
|
Example configuration:
|
|||
|
|
|||
|
[source,yaml]
|
|||
|
-------------------------------------------------------------------------------------
|
|||
|
packetbeat.shutdown_timeout: 5s
|
|||
|
-------------------------------------------------------------------------------------
|