380 lines
13 KiB
YAML
380 lines
13 KiB
YAML
################### Packetbeat Configuration Example ##########################
|
|
|
|
# This file contains an overview of various configuration settings. Please consult
|
|
# the docs at https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-configuration.html
|
|
# for more details.
|
|
|
|
# The Packetbeat shipper works by sniffing the network traffic between your
|
|
# application components. It inserts meta-data about each transaction into
|
|
# Elasticsearch.
|
|
|
|
############################# Sniffer #########################################
|
|
|
|
# Select the network interfaces to sniff the data. You can use the "any"
|
|
# keyword to sniff on all connected interfaces.
|
|
interfaces:
|
|
device: any
|
|
|
|
############################# Protocols #######################################
|
|
protocols:
|
|
icmp:
|
|
# Enable ICMPv4 and ICMPv6 monitoring. Default: false
|
|
enabled: true
|
|
|
|
dns:
|
|
# Configure the ports where to listen for DNS traffic. You can disable
|
|
# the DNS protocol by commenting out the list of ports.
|
|
ports: [53]
|
|
|
|
# include_authorities controls whether or not the dns.authorities field
|
|
# (authority resource records) is added to messages.
|
|
# Default: false
|
|
include_authorities: true
|
|
# include_additionals controls whether or not the dns.additionals field
|
|
# (additional resource records) is added to messages.
|
|
# Default: false
|
|
include_additionals: true
|
|
|
|
# send_request and send_response control whether or not the stringified DNS
|
|
# request and response message are added to the result.
|
|
# Nearly all data about the request/response is available in the dns.*
|
|
# fields, but this can be useful if you need visibility specifically
|
|
# into the request or the response.
|
|
# Default: false
|
|
# send_request: true
|
|
# send_response: true
|
|
|
|
http:
|
|
# Configure the ports where to listen for HTTP traffic. You can disable
|
|
# the HTTP protocol by commenting out the list of ports.
|
|
ports: [80, 8080, 8000, 5000, 8002]
|
|
|
|
# Uncomment the following to hide certain parameters in URL or forms attached
|
|
# to HTTP requests. The names of the parameters are case insensitive.
|
|
# The value of the parameters will be replaced with the 'xxxxx' string.
|
|
# This is generally useful for avoiding storing user passwords or other
|
|
# sensitive information.
|
|
# Only query parameters and top level form parameters are replaced.
|
|
# hide_keywords: ['pass', 'password', 'passwd']
|
|
|
|
memcache:
|
|
# Configure the ports where to listen for memcache traffic. You can disable
|
|
# the Memcache protocol by commenting out the list of ports.
|
|
ports: [11211]
|
|
|
|
# Uncomment the parseunknown option to force the memcache text protocol parser
|
|
# to accept unknown commands.
|
|
# Note: All unknown commands MUST not contain any data parts!
|
|
# Default: false
|
|
# parseunknown: true
|
|
|
|
# Update the maxvalue option to store the values - base64 encoded - in the
|
|
# json output.
|
|
# possible values:
|
|
# maxvalue: -1 # store all values (text based protocol multi-get)
|
|
# maxvalue: 0 # store no values at all
|
|
# maxvalue: N # store up to N values
|
|
# Default: 0
|
|
# maxvalues: -1
|
|
|
|
# Use maxbytespervalue to limit the number of bytes to be copied per value element.
|
|
# Note: Values will be base64 encoded, so actual size in json document
|
|
# will be 4 times maxbytespervalue.
|
|
# Default: unlimited
|
|
# maxbytespervalue: 100
|
|
|
|
# UDP transaction timeout in milliseconds.
|
|
# Note: Quiet messages in UDP binary protocol will get response only in error case.
|
|
# The memcached analyzer will wait for udptransactiontimeout milliseconds
|
|
# before publishing quiet messages. Non quiet messages or quiet requests with
|
|
# error response will not have to wait for the timeout.
|
|
# Default: 200
|
|
# udptransactiontimeout: 1000
|
|
|
|
mysql:
|
|
# Configure the ports where to listen for MySQL traffic. You can disable
|
|
# the MySQL protocol by commenting out the list of ports.
|
|
ports: [3306]
|
|
|
|
pgsql:
|
|
# Configure the ports where to listen for Pgsql traffic. You can disable
|
|
# the Pgsql protocol by commenting out the list of ports.
|
|
ports: [5432]
|
|
|
|
redis:
|
|
# Configure the ports where to listen for Redis traffic. You can disable
|
|
# the Redis protocol by commenting out the list of ports.
|
|
ports: [6379]
|
|
|
|
thrift:
|
|
# Configure the ports where to listen for Thrift-RPC traffic. You can disable
|
|
# the Thrift-RPC protocol by commenting out the list of ports.
|
|
ports: [9090]
|
|
|
|
mongodb:
|
|
# Configure the ports where to listen for MongoDB traffic. You can disable
|
|
# the MongoDB protocol by commenting out the list of ports.
|
|
ports: [27017]
|
|
|
|
############################# Processes #######################################
|
|
|
|
# Configure the processes to be monitored and how to find them. If a process is
|
|
# monitored then Packetbeat attempts to use it's name to fill in the `proc` and
|
|
# `client_proc` fields.
|
|
# The processes can be found by searching their command line by a given string.
|
|
#
|
|
# Process matching is optional and can be enabled by uncommenting the following
|
|
# lines.
|
|
#
|
|
#procs:
|
|
# enabled: false
|
|
# monitored:
|
|
# - process: mysqld
|
|
# cmdline_grep: mysqld
|
|
#
|
|
# - process: pgsql
|
|
# cmdline_grep: postgres
|
|
#
|
|
# - process: nginx
|
|
# cmdline_grep: nginx
|
|
#
|
|
# - process: app
|
|
# cmdline_grep: gunicorn
|
|
|
|
###############################################################################
|
|
############################# Libbeat Config ##################################
|
|
# Base config file used by all other beats for using libbeat features
|
|
|
|
############################# Output ##########################################
|
|
|
|
# Configure what outputs to use when sending the data collected by the beat.
|
|
# Multiple outputs may be used.
|
|
output:
|
|
|
|
### Elasticsearch as output
|
|
elasticsearch:
|
|
# Array of hosts to connect to.
|
|
# Scheme and port can be left out and will be set to the default (http and 9200)
|
|
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
|
|
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
|
|
hosts: ["localhost:9200"]
|
|
|
|
# Optional protocol and basic auth credentials.
|
|
#protocol: "https"
|
|
#username: "admin"
|
|
#password: "s3cr3t"
|
|
|
|
# Number of workers per Elasticsearch host.
|
|
#worker: 1
|
|
|
|
# Optional index name. The default is "packetbeat" and generates
|
|
# [packetbeat-]YYYY.MM.DD keys.
|
|
#index: "packetbeat"
|
|
|
|
# Optional HTTP Path
|
|
#path: "/elasticsearch"
|
|
|
|
# Proxy server url
|
|
#proxy_url: http://proxy:3128
|
|
|
|
# The number of times a particular Elasticsearch index operation is attempted. If
|
|
# the indexing operation doesn't succeed after this many retries, the events are
|
|
# dropped. The default is 3.
|
|
#max_retries: 3
|
|
|
|
# The maximum number of events to bulk in a single Elasticsearch bulk API index request.
|
|
# The default is 50.
|
|
#bulk_max_size: 50
|
|
|
|
# Configure http request timeout before failing an request to Elasticsearch.
|
|
#timeout: 90
|
|
|
|
# The number of seconds to wait for new events between two bulk API index requests.
|
|
# If `bulk_max_size` is reached before this interval expires, addition bulk index
|
|
# requests are made.
|
|
#flush_interval: 1
|
|
|
|
# Boolean that sets if the topology is kept in Elasticsearch. The default is
|
|
# false. This option makes sense only for Packetbeat.
|
|
#save_topology: false
|
|
|
|
# The time to live in seconds for the topology information that is stored in
|
|
# Elasticsearch. The default is 15 seconds.
|
|
#topology_expire: 15
|
|
|
|
# tls configuration. By default is off.
|
|
#tls:
|
|
# List of root certificates for HTTPS server verifications
|
|
#certificate_authorities: ["/etc/pki/root/ca.pem"]
|
|
|
|
# Certificate for TLS client authentication
|
|
#certificate: "/etc/pki/client/cert.pem"
|
|
|
|
# Client Certificate Key
|
|
#certificate_key: "/etc/pki/client/cert.key"
|
|
|
|
# Controls whether the client verifies server certificates and host name.
|
|
# If insecure is set to true, all server host names and certificates will be
|
|
# accepted. In this mode TLS based connections are susceptible to
|
|
# man-in-the-middle attacks. Use only for testing.
|
|
#insecure: true
|
|
|
|
# Configure cipher suites to be used for TLS connections
|
|
#cipher_suites: []
|
|
|
|
# Configure curve types for ECDHE based cipher suites
|
|
#curve_types: []
|
|
|
|
# Configure minimum TLS version allowed for connection to logstash
|
|
#min_version: 1.0
|
|
|
|
# Configure maximum TLS version allowed for connection to logstash
|
|
#max_version: 1.2
|
|
|
|
|
|
### Logstash as output
|
|
#logstash:
|
|
# The Logstash hosts
|
|
#hosts: ["localhost:5044"]
|
|
|
|
# Number of workers per Logstash host.
|
|
#worker: 1
|
|
|
|
# Set gzip compression level.
|
|
#compression_level: 3
|
|
|
|
# Optional load balance the events between the Logstash hosts
|
|
#loadbalance: true
|
|
|
|
# Optional index name. The default index name depends on the each beat.
|
|
# For Packetbeat, the default is set to packetbeat, for Topbeat
|
|
# top topbeat and for Filebeat to filebeat.
|
|
#index: packetbeat
|
|
|
|
# Optional TLS. By default is off.
|
|
#tls:
|
|
# List of root certificates for HTTPS server verifications
|
|
#certificate_authorities: ["/etc/pki/root/ca.pem"]
|
|
|
|
# Certificate for TLS client authentication
|
|
#certificate: "/etc/pki/client/cert.pem"
|
|
|
|
# Client Certificate Key
|
|
#certificate_key: "/etc/pki/client/cert.key"
|
|
|
|
# Controls whether the client verifies server certificates and host name.
|
|
# If insecure is set to true, all server host names and certificates will be
|
|
# accepted. In this mode TLS based connections are susceptible to
|
|
# man-in-the-middle attacks. Use only for testing.
|
|
#insecure: true
|
|
|
|
# Configure cipher suites to be used for TLS connections
|
|
#cipher_suites: []
|
|
|
|
# Configure curve types for ECDHE based cipher suites
|
|
#curve_types: []
|
|
|
|
|
|
### File as output
|
|
#file:
|
|
# Path to the directory where to save the generated files. The option is mandatory.
|
|
#path: "/tmp/packetbeat"
|
|
|
|
# Name of the generated files. The default is `packetbeat` and it generates files: `packetbeat`, `packetbeat.1`, `packetbeat.2`, etc.
|
|
#filename: packetbeat
|
|
|
|
# Maximum size in kilobytes of each file. When this size is reached, the files are
|
|
# rotated. The default value is 10 MB.
|
|
#rotate_every_kb: 10000
|
|
|
|
# Maximum number of files under path. When this number of files is reached, the
|
|
# oldest file is deleted and the rest are shifted from last to first. The default
|
|
# is 7 files.
|
|
#number_of_files: 7
|
|
|
|
|
|
### Console output
|
|
# console:
|
|
# Pretty print json event
|
|
#pretty: false
|
|
|
|
|
|
############################# Shipper #########################################
|
|
|
|
shipper:
|
|
# The name of the shipper that publishes the network data. It can be used to group
|
|
# all the transactions sent by a single shipper in the web interface.
|
|
# If this options is not defined, the hostname is used.
|
|
#name:
|
|
|
|
# The tags of the shipper are included in their own field with each
|
|
# transaction published. Tags make it easy to group servers by different
|
|
# logical properties.
|
|
#tags: ["service-X", "web-tier"]
|
|
|
|
# Uncomment the following if you want to ignore transactions created
|
|
# by the server on which the shipper is installed. This option is useful
|
|
# to remove duplicates if shippers are installed on multiple servers.
|
|
#ignore_outgoing: true
|
|
|
|
# How often (in seconds) shippers are publishing their IPs to the topology map.
|
|
# The default is 10 seconds.
|
|
#refresh_topology_freq: 10
|
|
|
|
# Expiration time (in seconds) of the IPs published by a shipper to the topology map.
|
|
# All the IPs will be deleted afterwards. Note, that the value must be higher than
|
|
# refresh_topology_freq. The default is 15 seconds.
|
|
#topology_expire: 15
|
|
|
|
# Internal queue size for single events in processing pipeline
|
|
#queue_size: 1000
|
|
|
|
# Configure local GeoIP database support.
|
|
# If no paths are not configured geoip is disabled.
|
|
geoip:
|
|
paths:
|
|
- "/usr/share/GeoIP/GeoLiteCity.dat"
|
|
# - "/usr/local/var/GeoIP/GeoLiteCity.dat"
|
|
|
|
|
|
############################# Logging #########################################
|
|
|
|
# There are three options for the log ouput: syslog, file, stderr.
|
|
# Under Windows systems, the log files are per default sent to the file output,
|
|
# under all other system per default to syslog.
|
|
logging:
|
|
|
|
# Send all logging output to syslog. On Windows default is false, otherwise
|
|
# default is true.
|
|
#to_syslog: true
|
|
|
|
# Write all logging output to files. Beats automatically rotate files if rotateeverybytes
|
|
# limit is reached.
|
|
#to_files: false
|
|
|
|
# To enable logging to files, to_files option has to be set to true
|
|
files:
|
|
# The directory where the log files will written to.
|
|
#path: /var/log/mybeat
|
|
|
|
# The name of the files where the logs are written to.
|
|
#name: mybeat
|
|
|
|
# Configure log file size limit. If limit is reached, log file will be
|
|
# automatically rotated
|
|
rotateeverybytes: 10485760 # = 10MB
|
|
|
|
# Number of rotated log files to keep. Oldest files will be deleted first.
|
|
#keepfiles: 7
|
|
|
|
# Enable debug output for selected components. To enable all selectors use ["*"]
|
|
# Other available selectors are beat, publish, service
|
|
# Multiple selectors can be chained.
|
|
#selectors: [ ]
|
|
|
|
# Sets log level. The default log level is error.
|
|
# Available log levels are: critical, error, warning, info, debug
|
|
#level: error
|
|
|
|
|