- Packetbeat Reference: other versions:
- Packetbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Packetbeat
- Configure
- Traffic sniffing
- Network flows
- Protocols
- Processes
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- Feature flags
- packetbeat.reference.yml
- How to guides
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- SIP fields
- Thrift-RPC fields
- Detailed TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitor
- Secure
- Visualize Packetbeat data in Kibana
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Record a trace
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Packetbeat doesn’t see any packets when using mirror ports
- Packetbeat can’t capture traffic from Windows loopback interface
- Packetbeat is missing long running transactions
- Packetbeat isn’t capturing MySQL performance data
- Packetbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Fields show up as nested JSON in Kibana
- Contribute to Beats
Secrets keystore for secure settings
editSecrets keystore for secure settings
editWhen you configure Packetbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Packetbeat keystore to obfuscate stored secret values for use in configuration settings.
After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
The syntax for referencing keys is identical to the syntax for environment variables:
${KEY}
Where KEY is the name of the key.
For example, imagine that the keystore contains a key called ES_PWD
with the
value yourelasticsearchpassword
:
-
In the configuration file, use
output.elasticsearch.password: "${ES_PWD}"
-
On the command line, use:
-E "output.elasticsearch.password=\${ES_PWD}"
When Packetbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
Notice that the Packetbeat keystore differs from the Elasticsearch keystore.
Whereas the Elasticsearch keystore lets you store elasticsearch.yml
values by
name, the Packetbeat keystore lets you specify arbitrary names that you can
reference in the Packetbeat configuration.
To create and manage keys, use the keystore
command. See the
command reference for the full command syntax, including
optional flags.
The keystore
command must be run by the same user who will run
Packetbeat.
Create a keystore
editTo create a secrets keystore, use:
packetbeat keystore create
Packetbeat creates the keystore in the directory defined by the path.data
configuration setting.
Add keys
editTo store sensitive values, such as authentication credentials for Elasticsearch,
use the keystore add
command:
packetbeat keystore add ES_PWD
When prompted, enter a value for the key.
To overwrite an existing key’s value, use the --force
flag:
packetbeat keystore add ES_PWD --force
To pass the value through stdin, use the --stdin
flag. You can also use
--force
:
cat /file/containing/setting/value | packetbeat keystore add ES_PWD --stdin --force
List keys
editTo list the keys defined in the keystore, use:
packetbeat keystore list
Remove keys
editTo remove a key from the keystore, use:
packetbeat keystore remove ES_PWD
On this page