介紹
packbeat是一個開源的實時網絡抓包與分析框架,內置了很多常見的協議捕獲及解析,如HTTP、MySQL、Redis等。在實際使用中,通常和Elasticsearch以及kibana聯合使用,用於數據搜索和分析以及數據展示。
目前Packebeat支持的協議如下:
ICMP (v4 and v6) DNS HTTP Mysql PostgreSQL Redis Thrift-RPC MongoDB Memcache
Packetbeat可以運行在應用服務器上或者獨自的服務器。當運行在獨自服務器上時,需要從交換機的鏡像端口或者竊聽設備上獲取網絡流量。
安裝系統環境查看
下載rpm包安裝
rpm -vih packetbeat-6.6.2-x86_64.rpm
修改配置文件
/etc/packetbeat/packetbeat.yml
packetbeat.interfaces.device: eth0 packetbeat.flows: timeout: 30s period: 10s packetbeat.protocols: - type: icmp enabled: true - type: amqp ports: [5672] - type: cassandra ports: [9042] - type: dhcpv4 ports: [67, 68] - type: dns ports: [53] include_authorities: true include_additionals: true - type: http ports: [80, 8080, 8000, 5000, 8002] - type: memcache ports: [11211] - type: mysql ports: [3306] - type: pgsql ports: [5432] - type: redis ports: [6379] - type: thrift ports: [9090] - type: mongodb ports: [27017] - type: nfs ports: [2049] - type: tls ports: [443] setup.template.settings: index.number_of_shards: 3 setup.kibana: host: "172.16.90.24:5601" output.elasticsearch: hosts: ["172.16.90.24:9200"] processors: - add_host_metadata: ~ - add_cloud_metadata: ~
導入kibana模板
packetbeat setup --dashboards
kibana查看
