Beats：如何安裝Packetbeat

網絡數據包分析器Packetbeat是第一個引入的beat。 Packetbeat捕獲服務器之間的網絡流量，因此可用於應用程序和性能監視。
Packetbeat可以安裝在受監視的服務器上，也可以安裝在其專用服務器上。 Packetbeat跟蹤網絡流量，解碼協議並記錄每筆交易的數據。 Packetbeat支持的協議包括：DNS，HTTP，ICMP，Redis，MySQL，MongoDB，Cassandra等。理解像Packetbeat這樣的網絡數據包分析系統的價值的最佳方法是根據自己的流量進行嘗試。更多信息，請參閱Elastic的官方網站https://www.elastic.co/beats/packetbeat。

要開始您自己的Packetbeat設置，請安裝和配置以下相關產品：

• 用於存儲和索引數據的Elasticsearch
• 用戶界面的Kibana

如果你還沒有完成自己的Elasticsearch及Kibana的安裝，請參閱我們之前的文章“Elastic：菜鳥上手指南”。

對於有經驗的開發者來說，我們可以直接進入到Elastic公司的官網直接下載，並安裝。下載地址爲https://www.elastic.co/downloads/beats。當我們下載時，必須注意選擇和自己Elasticsearch想匹配的版本。我們可以可以在自己的電腦上直接使用命令來進行安裝。你可以根據自己的版本替換下面命令行中的7.6.1版本號碼。

deb:

sudo apt-get install libpcap0.8
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-amd64.deb
sudo dpkg -i packetbeat-7.6.1-amd64.deb

rpm:

sudo yum install libpcap
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-x86_64.rpm
sudo rpm -vi packetbeat-7.6.1-x86_64.rpm

mac:

curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-darwin-x86_64.tar.gz
tar xzvf packetbeat-7.6.1-darwin-x86_64.tar.gz

brew:

brew tap elastic/tap
brew install elastic/tap/packetbeat-full

這將安裝最新發行的Packetbeat默認發行版。 要安裝OSS發行版，請指定elastic/tap/packetbeat-oss。

linux:

curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-linux-x86_64.tar.gz
tar xzvf packetbeat-7.6.1-linux-x86_64.tar.gz

win:

下載並安裝實現libpcap接口的數據sniffing庫，例如Npcap。

如果使用Npcap，請確保以WinPcap API兼容模式安裝它。 如果您打算從loopback設備捕獲流量（127.0.0.1流量），則還選擇支持loopback流量的選項。

• 從下載頁面下載Packetbeat Windows zip文件
• 將zip文件的內容提取到C:\Program Files
• 將packetbeat- <版本> -windows目錄重命名爲Packetbeat
• 以管理員身份打開PowerShell提示符（右鍵單擊PowerShell圖標，然後選擇“以管理員身份運行”）。

在PowerShell提示符下，運行以下命令以將Packetbeat安裝爲Windows服務：

PS > cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat> .\install-service-packetbeat.ps1

 請注意：如果在系統上禁用了腳本執行，則需要爲當前會話設置執行策略以允許腳本運行。 例如：

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1

在使用Packetbeat之前，我們必須配置Packetbeat纔可以使它正常工作。在Packetbeat的安裝目錄下，有一個叫做packetbeat.yml的配置文件（針對Linux的情況，它位於/etc/packetbeat/目錄下）。在最簡單的情況下，我們必須修改：

output.elasticsearch:
  hosts: ["myEShost:9200"]
  username: "filebeat_internal"
  password: "YOUR_PASSWORD" 
setup.kibana:
  host: "mykibanahost:5601"
  username: "my_kibana_user"  
  password: "YOUR_PASSWORD"

我們需要把Elasticsearch及Kibana的地址填入到上面的位置。這樣我們我們就可以把數據傳入到Elasticsearch中，並在Kibana中的Dashboard中進行展示。更多的配置請參閱Elastic的官方文檔“Configure Packetbeat”。

等修改完我們的packetbeat.yml文件後，我們可以使用如下的命令來檢查修改後的文件是否正確：

sudo packetbeat test config -e

如果你看到如下的類似的輸出：

$ sudo packetbeat test config -e
2020-03-17T16:18:14.995+0800	INFO	instance/beat.go:622	Home path: [/usr/share/packetbeat] Config path: [/etc/packetbeat] Data path: [/var/lib/packetbeat] Logs path: [/var/log/packetbeat]
2020-03-17T16:18:14.995+0800	INFO	instance/beat.go:630	Beat ID: 7855ec98-8eb1-4639-a65f-936acfc2cabd
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:958	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/packetbeat", "data": "/var/lib/packetbeat", "home": "/usr/share/packetbeat", "logs": "/var/log/packetbeat"}, "type": "packetbeat", "uuid": "7855ec98-8eb1-4639-a65f-936acfc2cabd"}}}
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:967	Build info	{"system_info": {"build": {"commit": "c1c49432bdc53563e63e9d684ca3e9843626e448", "libbeat": "7.6.1", "time": "2020-02-28T23:00:10.000Z", "version": "7.6.1"}}}
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:970	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":6,"version":"go1.13.8"}}}
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:974	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-03-17T05:49:48+08:00","containerized":false,"name":"liuxg","ip":["127.0.0.1/8","::1/128","192.168.43.192/24","fe80::4335:a826:a61b:c231/64"],"kernel_version":"5.3.0-40-generic","mac":["08:00:27:2a:f0:fa"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.4 LTS (Bionic Beaver)","major":18,"minor":4,"patch":4,"codename":"bionic"},"timezone":"CST","timezone_offset_sec":28800,"id":"aa0be63698ff4d65848345a09778d58b"}}}
2020-03-17T16:18:14.997+0800	INFO	[beat]	instance/beat.go:1003	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/etc/packetbeat", "exe": "/usr/share/packetbeat/bin/packetbeat", "name": "packetbeat", "pid": 5187, "ppid": 5186, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2020-03-17T16:18:14.350+0800"}}}
2020-03-17T16:18:14.997+0800	INFO	instance/beat.go:298	Setup Beat: packetbeat; Version: 7.6.1
2020-03-17T16:18:14.997+0800	INFO	[index-management]	idxmgmt/std.go:182	Set output.elasticsearch.index to 'packetbeat-7.6.1' as ILM is enabled.
2020-03-17T16:18:14.997+0800	INFO	elasticsearch/client.go:174	Elasticsearch url: http://192.168.43.220:9200
2020-03-17T16:18:14.997+0800	INFO	[publisher]	pipeline/module.go:110	Beat name: liuxg
2020-03-17T16:18:14.997+0800	INFO	procs/procs.go:105	Process watcher disabled
Config OK

則表明我們的配置是成功的。

等配置完我們的Packetbeat，並配置完後我們運行如下的命令進行setup (Linux):

sudo packetbeat setup

$ sudo packetbeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards

上面顯示我們已經成功地安裝了dashboard及配置Index。

接下來我們使用如下的命令來啓動這個packetbeat的服務 （Linux)：

sudo service packetbeat start

我們可以在Linux下查看這個服務：

$ systemctl status packetbeat
● packetbeat.service - Packetbeat analyzes network traffic and sends the data to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/packetbeat.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-03-17 16:02:56 CST; 38s ago
     Docs: https://www.elastic.co/products/beats/packetbeat
 Main PID: 4355 (packetbeat)
    Tasks: 15 (limit: 4915)
   CGroup: /system.slice/packetbeat.service
           └─4355 /usr/share/packetbeat/bin/packetbeat -e -c /etc/packetbeat/packetbeat.yml -path.ho

上面顯示我們的packetbeat正在運行正常。

這個時候打開我們的Kibana，並選擇Dashboard:

點擊上面的[Packetbeat] Flow ECS：

如果你已經看見上面的一些數據，則表明我們的Packetbeat已經是安裝正確的。

 

參考：

【1】https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation.html