堆栈内存溢出
  简体   繁体   English

Packetbeat 接口检测

[英]Packetbeat interface detection

 原文  2019-10-01 07:55:13       elasticsearch/ elk/ packetbeat

问题描述

I'm using packbeat to monitor network traffic for a SIEM-like setup with ELK.我正在使用 packbeat 来监控网络流量,以使用 ELK 进行类似 SIEM 的设置。 I'd like to push it to a large number of machines but the setup requires manual identification in packetbeat.yml.我想将它推送到大量机器上,但设置需要在 packetbeat.yml 中手动识别。

Has any been able to script the process of selecting the appropriate interface to monitor for packetbeat?有没有人能够编写脚本来选择适当的接口来监控 packetbeat 的过程?

2 个解决方案

解决方案1
 0  2019-10-03 11:22:18

I've put this together - which uses 3 separate.yml我把它放在一起 - 它使用了 3 个单独的.yml

ConfigTemplate.yml which contains the rest of the packetbeat.yml minus the interfaces. ConfigTemplate.yml 包含 packetbeat.yml 的 rest 减去接口。

Interfaces.yml which is a temp file used to write the interfaces to. Interfaces.yml 这是一个用于将接口写入的临时文件。

packetbeat.yml which is the final config file packetbeat will use. packetbeat.yml 是 packetbeat 将使用的最终配置文件。

The python script should be in the packetbeat directory along with the config.yml's python 脚本应与 config.yml 一起位于 packetbeat 目录中

The only limitation is that it needs python on the host machines - the next stage is to see if it can be done with powershell.唯一的限制是它在主机上需要 python - 下一阶段是看看它是否可以用 powershell 完成。

Hope this helps anyone else!希望这对其他人有帮助! Any improvements are welcome!欢迎任何改进!

import subprocess

devices = subprocess.check_output(["powershell.exe", "(./packetbeat.exe   devices).count"])

devicesCount = int(devices.decode('utf-8'))

print(devicesCount)

deviceCount = range(devicesCount)


with open('ConfigTemplate.yml', 'r') as original: data1 = original.read()


with open('Interfaces.yml', 'w') as modified: 

  for i in deviceCount:
    modified.write("packetbeat.interfaces.device: " + str(i)+ "\n" )


with open('Interfaces.yml', 'r') as original: data2 = original.read()


with open('Packetbeat.yml', 'w') as modified2: modified2.write("# ================== Set listening interfaces ==================" +"\n"+ data2 + "\n" + data1 + "\n")

解决方案2
 0 已采纳  2019-10-03 13:03:58

Powershell version - Powershell版-

$count = (C:\path\to\packetbeat.exe - devices).count

$line = ''


for($i=0; $i -le ($count-1); $i++){

    $line +="packetbeat.interfaces.device:"+" $i `r`n" 

    }

$line  | Out-File -FilePath "C:\path\to\packetbeat\Interfaces.yml"

$configTemplate = Get-Content -Path "C:\path\to\packetbeat\ConfigTemplate.yml"

$interfaces = Get-Content -Path "C:\path\to\packetbeat\Interfaces.yml"

$interfaces + "`r`n" + $configTemplate | Out-File -FilePath "C:\path\to\packetbeat\packet.yml"

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Packetbeat缺少一些数据 - Packetbeat missing some data 在Windows上安装PacketBeat - Installing PacketBeat on Windows Rsyslog和Packetbeat之间的区别 - Difference between Rsyslog and Packetbeat packetbeat是否支持拦截 - Does packetbeat support interception 无法在弹性 7.5.1 中启动 Packetbeat - Unable to start Packetbeat in elastic 7.5.1 PacketBeat无法连接到ElasticSearch泊坞窗 - Packetbeat not able to connect to elasticsearch docker Packetbeat 不添加 Kube.netes 元数据 - Packetbeat does not add Kubernetes metadata Logstash没有为Filebeat和Packetbeat创建正确的索引 - Logstash not creating correct index for Filebeat and Packetbeat Elasticsearch for Packetbeat的最低版本应该是什么 - What should be the minimum version of Elasticsearch for Packetbeat 用于 Web 流量分析的 Filebeat 与 packetbeat - Filebeat vs packetbeat for web traffic analysis
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM