堆栈内存溢出
  简体   繁体   English

用于 ELK 堆栈中 pcap 文件分析的正确工具?

[英]proper tools for pcap file analysis in ELK stack?

 原文  2018-05-25 04:25:16       elastic-stack/ packet-capture/ packetbeat

问题描述

I'm sure this is a softball for those who are familiar with the Elastic Stack, but the docs I've read havent left it super clear.我敢肯定,对于熟悉 Elastic Stack 的人来说,这是一个垒球,但我读过的文档并没有让它变得非常清晰。

I essentially am trying to push pcap files through the ELK stack to visualize packet information using Kibana.我基本上是在尝试通过 ELK 堆栈推送 pcap 文件以使用 Kibana 可视化数据包信息。

I am not looking to monitor this real time, but rather have the following behavior:我不希望实时监控,而是有以下行为:

  1. I drop a pcap into a directory, and something picks it up (FileBeat? PacketBeat -I? LogStash?)我将一个 pcap 放入一个目录中,然后一些东西将其取出(FileBeat?PacketBeat -I?LogStash?)
  2. Since a pcap file isn't really useful, I might need to run it through tshark to produce readable json由于 pcap 文件不是很有用,我可能需要通过 tshark 运行它以生成可读的 json
  3. I want this information in ElasticSearch我想要 ElasticSearch 中的这些信息
  4. Use Kibana to make pretty graphs使用 Kibana 制作漂亮的图表

From what I read PacketBeat allows for the -I option to take a pcap file as an input, but doesn't that only ship that single file?从我读到的 PacketBeat 允许 -I 选项将 pcap 文件作为输入,但这不是只发送单个文件吗? I want it to watch a directory as I drop pcaps.我希望它在我放下 pcaps 时观察一个目录。 I guess what confused me is most of the docs talk about configuring an interface device to sniff in the packetbeat.yml我想让我感到困惑的是大多数文档都在谈论配置接口设备以在 packetbeat.yml 中嗅探

Anyway ideally I was thinking it would look something like this无论如何,理想情况下,我认为它看起来像这样

packetbeat(watching for pcaps, spits out json) -> logstash (filters)-> elasticsearch (indexes)-> kibana (visualizes) packetbeat(监视 pcaps,吐出 json)-> logstash(过滤器)-> elasticsearch(索引)-> kibana(可视化)

Is there a way to configure packetbeat to watch a dir for pcaps rather than an interface?有没有办法配置 packetbeat 来观察 pcaps 的目录而不是接口?

1 个解决方案

解决方案1
 0  2021-03-15 01:27:02

As of March 2021, you still can't do this natively with Packetbeat.截至 2021 年 3 月,您仍然无法使用 Packetbeat 在本机上执行此操作。

But you can easily "outsource" the watching of a directory tree to another tool, and have it call Packetbeat.但是您可以轻松地将目录树的监视“外包”给另一个工具,并让它调用 Packetbeat。 Watchman (released by Facebook) is a good choice - it will keep track of files that have been processed. Watchman (由 Facebook 发布)是一个不错的选择 - 它将跟踪已处理的文件。 Then you could do something like the following to a) watch a directory and then b) take action when files are changed/added:然后,您可以执行以下操作来 a) 监视目录,然后 b) 在更改/添加文件时采取措施:

watchman watch /path/to/pcaps
watchman -- trigger ~/path/to/pcaps pcaptrigger '*.pcap' -- 'packetbeat -I'

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将Linux条日志导入ELK栈进行日志分析? - How to import Linux logs into ELK stack for log analysis? ELK堆栈,用于存储来自多个设备的.conf文件 - ELK stack for storing data from multiple devices .conf file ELK堆栈日志时间戳记 - ELK Stack Log timestamp ELK堆栈安装和配置 - ELK stack installation and configuration Cadvisor支持ELK堆栈 - Cadvisor support ELK stack ELK 堆栈中的问题 - Issue in ELK stack 配置ELK堆栈 - Configuring ELK stack 在 ELK 堆栈中调试 Filebeat - Debugging Filebeat in the ELK stack ELK Stack on microservices architecture - ELK Stack on microservices architecture File Beat无法与另一个实例(ELK堆栈)的logstash连接 - File Beat not able to connect with logstash from another instance (ELK stack)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM