Step 5: Start Packetbeat

edit

Run Packetbeat by issuing the command that is appropriate for your platform. If you are accessing a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Packetbeat.

If you use an init.d script to start Packetbeat on deb or rpm, you can’t specify command line flags (see Command reference). To specify flags, start Packetbeat in the foreground.

deb and rpm:

sudo service packetbeat start

docker:

See Run Packetbeat on Docker.

mac and linux:

sudo chown root packetbeat.yml 
sudo ./packetbeat -e

You’ll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with --strict.perms=false specified. See Config File Ownership and Permissionsin the Beats Platform Reference.

brew:

To have launchd start elastic/tap/packetbeat and then restart it at login, run:

brew services start elastic/tap/packetbeat-full

To run Packetbeat in the foreground instead of running it as a background service, run:

sudo chown root /usr/local/etc/packetbeat/beatname_lc.yml 
sudo packetbeat -e

You’ll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with --strict.perms=false specified. See Config File Ownership and Permissions in the Beats Platform Reference.

win:

PS C:\Program Files\Packetbeat> Start-Service packetbeat

By default the log files are stored in C:\ProgramData\packetbeat\Logs.

Test the Packetbeat installation

edit

Packetbeat is now ready to capture data from your network traffic. You can test that it works by creating a simple HTTP request. For example:

curl http://www.elastic.co/ > /dev/null

Now verify that the data is present in Elasticsearch by issuing the following command:

curl -XGET 'http://localhost:9200/packetbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance. The command should return data about the HTTP transaction you just created.