{"id":654,"date":"2022-01-31T10:53:59","date_gmt":"2022-01-31T10:53:59","guid":{"rendered":"https:\/\/www.canchito-dev.com\/public\/blog\/?p=654"},"modified":"2023-05-12T18:01:15","modified_gmt":"2023-05-12T18:01:15","slug":"capturing-the-network-traffic-with-packetbeat","status":"publish","type":"post","link":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/31\/capturing-the-network-traffic-with-packetbeat\/","title":{"rendered":"Capturing the network traffic with Packetbeat"},"content":{"rendered":"<h1 class=\"entry-title\">Capturing the network traffic with Packetbeat<\/h1>\n<div class=\"perfect-pullquote vcard pullquote-align-full pullquote-border-placement-left\"><blockquote><p><\/p>\n<p>Discover how Packetbeat sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions. All within a dockerized enviroment.<\/p>\n<p><\/p><\/blockquote><\/div>\n<div><a class=\"donate-with-crypto\" href=\"https:\/\/commerce.coinbase.com\/checkout\/faf64f90-2e80-46ee-aeba-0fde14cbeb46\"><br \/>\nBuy Me a Coffee<br \/>\n<\/a><br \/>\n<script src=\"https:\/\/commerce.coinbase.com\/v1\/checkout.js?version=201807\">\n  <\/script><\/div>\n<div class=\"titlepage\">\n<div>\n<div>\n<h2 class=\"title\">Introduction<\/h2>\n<\/div>\n<\/div>\n<\/div>\n<p style=\"text-align: justify;\">Greetings again everybody! Up to this point, we have covered almost the whole arquitecture we want to cover. For example, we <a href=\"http:\/\/www.canchito-dev.com\/public\/blog\/2021\/12\/26\/introduction-to-elastic-stack\/\">learn about Elasticsearch for storing the data that we collect and how to deploy it, Kibana as a Web UI for visualizing the collected data<\/a>, <a href=\"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/02\/elastic-stack-beats\/\">Filebeat for collecting data from our cluster<\/a>, we <a href=\"https:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/16\/getting-started-with-logstash\/\">saw what Logstash can do<\/a>, <a href=\"https:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/27\/collect-metrics-with-metricbet\/\">collected metrics from the system and services running on the server with the help of Metricbeat<\/a>, and <a href=\"https:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/30\/know-if-your-service-is-available-with-heartbeat\/\">know if your service is up thanks to Heartbeat<\/a>. Now it is time to analyze your network traffic with Packetbeat.<\/p>\n<h2>Overview<\/h2>\n<p style=\"text-align: justify;\">Monitoring network traffic at the host level is no longer enough. This was useful long time ago,\u00a0 when individual services ran on stand-alone machines. Nowadays, if you want to get a meaningful analysis today, you have to check network traffic at\u00a0the process level.<\/p>\n<p style=\"text-align: justify;\">Packetbeat is a real-time network packet analyzer, parses the application-level protocols on the fly, and correlates the messages into transactions, thus providing visibility between the servers of your network.<\/p>\n<p>Just as any other Elastic Beat, Packetbeat is based on the <code class=\"literal\">libbeat<\/code> framework.<\/p>\n<h2>Deploying Packetbeat in Docker<\/h2>\n<p style=\"text-align: justify;\">Let&#8217;s begin by adding a folder which will have Pcketbeat&#8217;s files. The changes in the project should be highlighted.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-highlight=\"28-30,38\">elastic-stack-demo\r\n  +- elasticsearch-single-node-cluster\r\n       +- elasticsearch\r\n       |    +- Dockerfile-elasticsearch-single-node\r\n       |    +- elasticsearch-single-node.yml\r\n       +-filebeat\r\n       |    +- Dockerfile\r\n       |    +- filebeat-to-elasticsearch.yml\r\n       |    +- filebeat-to-logstash.yml\r\n       +-heartbeat\r\n       |    +- Dockerfile\r\n       |    +- heartbeat.yml\r\n       |    +- http_dashboard.ndjson\r\n       +-kibana\r\n       |    +- Dockerfile-kibana-single-node\r\n       |    +- kibana-single-node.yml\r\n       +-logstash\r\n       |    +- config\r\n       |    |    +- logstash.yml\r\n       |    |    +- pipelines.yml\r\n       |    +- pipeline\r\n       |    |    +- beats-example.conf\r\n       |    |    +- data-stream-example.conf\r\n       |    |    +- output.conf\r\n       |    +- Dockerfile\r\n       +-metricbeat\r\n       |    +- Dockerfile\r\n       |    +- metricbeat.yml\r\n       +-packetbeat\r\n       |    +- Dockerfile\r\n       |    +- packetbeat.yml\r\n       +- .env\r\n       +- docker-compose-es-single-node.yml\r\n       +- docker-compose-filebeat-to-elasticseach.yml\r\n       +- docker-compose-filebeat-to-logstash.yml\r\n       +- docker-compose-heartbeat.yml\r\n       +- docker-compose-logstash.yml\r\n       +- docker-compose-metricbeat.yml\r\n       +- docker-compose-packetbeat.yml\r\n<\/pre>\n<p style=\"text-align: justify;\">As we have been doing so far, the first file we will be creating is the <code class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">Dockerfile<\/code>. Create it under <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">elastic-stack-single-node-cluster\/packetbeat\/<\/code>, and paste the following code:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">ARG ELK_VERSION\r\nFROM docker.elastic.co\/beats\/packetbeat:${ELK_VERSION}\r\n\r\n# add custom configuration\r\nCOPY --chown=root:packetbeat packetbeat.yml \/usr\/share\/packetbeat\/packetbeat.yml\r\n<\/pre>\n<p style=\"text-align: justify;\">The file has nothing extraordinary. It is just specifying the base image and copying the configuration <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">YAML<\/code> file for Packetbeat. This configuration file looks like this:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">###################### Packetbeat Configuration Example #######################\r\n# You can find the full configuration reference here:\r\n# https:\/\/www.elastic.co\/guide\/en\/beats\/packetbeat\/index.html\r\n\r\n# =============================== Network device ===============================\r\n# Select the network interface to sniff the data. You can use the \"any\"\r\n# keyword to sniff on all connected interfaces.\r\npacketbeat.interfaces.device: any\r\n\r\n# The network CIDR blocks that are considered \"internal\" networks for\r\n# the purpose of network perimeter boundary classification. The valid\r\n# values for internal_networks are the same as those that can be used\r\n# with processor network conditions.\r\n#\r\n# For a list of available values see:\r\n# https:\/\/www.elastic.co\/guide\/en\/beats\/packetbeat\/current\/defining-processors.html#condition-network\r\npacketbeat.interfaces.internal_networks:\r\n  - private\r\n\r\n# =================================== Flows ====================================\r\npacketbeat.flows:\r\n  # Enable Network flows. Default: true\r\n  enabled: true\r\n  # Set network flow timeout. Flow is killed if no packet is received before being\r\n  # timed out.\r\n  timeout: 30s\r\n  # Configure reporting period. If set to -1, only killed flows will be reported\r\n  period: 10s\r\n\r\n# =========================== Transaction protocols ============================\r\npacketbeat.protocols:\r\n  - type: icmp\r\n    # Enable ICMPv4 and ICMPv6 monitoring. The default is true.\r\n    enabled: true\r\n    # Overrides where this protocol's events are indexed.\r\n    index: demo-icmp-index\r\n\r\n  - type: dns\r\n    # Enable DNS monitoring. Default: true\r\n    enabled: true\r\n    # Configure the ports where to listen for DNS traffic. You can disable\r\n    # the DNS protocol by commenting out the list of ports.\r\n    ports: [53]\r\n    # include_authorities controls whether or not the dns.authorities field\r\n    # (authority resource records) is added to messages.\r\n    # Default: false\r\n    include_authorities: true\r\n    # include_additionals controls whether or not the dns.additionals field\r\n    # (additional resource records) is added to messages.\r\n    # Default: false\r\n    include_additionals: true\r\n\r\n  - type: http\r\n    # Enable HTTP monitoring. Default: true\r\n    enabled: true\r\n    # Configure the ports where to listen for HTTP traffic. You can disable\r\n    # the HTTP protocol by commenting out the list of ports.\r\n    ports: [80, 5601, 9200, 8080, 8081, 5000, 8002]\r\n\r\n  - type: memcache\r\n    # Enable memcache monitoring. Default: true\r\n    enabled: true\r\n    # Configure the ports where to listen for memcache traffic. You can disable\r\n    # the Memcache protocol by commenting out the list of ports.\r\n    ports: [11211]\r\n\r\n  - type: nfs\r\n    # Enable NFS monitoring. Default: true\r\n    enabled: true\r\n    # Configure the ports where to listen for NFS traffic. You can disable\r\n    # the NFS protocol by commenting out the list of ports.\r\n    ports: [2049]\r\n\r\n  - type: tls\r\n    # Enable TLS monitoring. Default: true\r\n    enabled: true\r\n    # Configure the ports where to listen for TLS traffic. You can disable\r\n    # the TLS protocol by commenting out the list of ports.\r\n    ports:\r\n      - 443   # HTTPS\r\n      - 993   # IMAPS\r\n      - 995   # POP3S\r\n      - 5223  # XMPP over SSL\r\n      - 8443\r\n      - 8883  # Secure MQTT\r\n      - 9243  # Elasticsearch\r\n\r\n# ============================ Monitored processes =============================\r\n# Packetbeat can enrich events with information about the process associated\r\n# the socket that sent or received the packet if Packetbeat is monitoring\r\n# traffic from the host machine. By default process enrichment is disabled.\r\n# This feature works on Linux and Windows.\r\npacketbeat.procs.enabled: true\r\n\r\n# If you want to ignore transactions created by the server on which the shipper\r\n# is installed you can enable this option. This option is useful to remove\r\n# duplicates if shippers are installed on multiple servers. Default value is\r\n# false.\r\npacketbeat.ignore_outgoing: true\r\n\r\n# ================================== General ===================================\r\n# The name of the shipper that publishes the network data. It can be used to group\r\n# all the transactions sent by a single shipper in the web interface.\r\n# If this options is not defined, the hostname is used.\r\nname: packetbeat-demo\r\n\r\n# ================================= Processors =================================\r\n# Processors are used to reduce the number of fields in the exported event or to\r\n# enhance the event with external metadata. This section defines a list of\r\n# processors that are applied one by one and the first one receives the initial\r\n# event:\r\n#\r\n#   event -&gt; filter1 -&gt; event1 -&gt; filter2 -&gt;event2 ...\r\n#\r\n# The supported processors are drop_fields, drop_event, include_fields,\r\n# decode_json_fields, and add_cloud_metadata.\r\nprocessors:\r\n  # The following example enriches each event with docker metadata, it matches\r\n  # container id from log path available in `source` field (by default it expects\r\n  # it to be \/var\/lib\/docker\/containers\/*\/*.log).\r\n  - add_docker_metadata: ~\r\n  # The following example enriches each event with host metadata.\r\n  - add_host_metadata: ~\r\n\r\n# ================================== Outputs ===================================\r\n# Configure what output to use when sending the data collected by the beat.\r\n# ---------------------------- Elasticsearch Output ----------------------------\r\noutput.elasticsearch:\r\n  # Boolean flag to enable or disable the output module.\r\n  enabled: true\r\n  # Array of hosts to connect to.\r\n  # Scheme and port can be left out and will be set to the default (http and 9200)\r\n  # In case you specify and additional path, the scheme is required: http:\/\/localhost:9200\/path\r\n  # IPv6 addresses should always be defined as: https:\/\/[2001:db8::1]:9200\r\n  hosts: ['localhost:9200']\r\n\r\n# ================================= Dashboards =================================\r\n# These settings control loading the sample dashboards to the Kibana index. Loading\r\n# the dashboards are disabled by default and can be enabled either by setting the\r\n# options here, or by using the `-setup` CLI flag or the `setup` command.\r\nsetup.dashboards.enabled: true\r\n\r\n# =================================== Kibana ===================================\r\n\r\n# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.\r\n# This requires a Kibana endpoint configuration.\r\nsetup.kibana:\r\n  # Kibana Host\r\n  # Scheme and port can be left out and will be set to the default (http and 5601)\r\n  # In case you specify and additional path, the scheme is required: http:\/\/localhost:5601\/path\r\n  # IPv6 addresses should always be defined as: https:\/\/[2001:db8::1]:5601\r\n  host: \"localhost:5601\"\r\n\r\n# ================================== Logging ===================================\r\n# There are four options for the log output: file, stderr, syslog, eventlog\r\n# The file output is the default.\r\n# Sets log level. The default log level is info.\r\n# Available log levels are: error, warning, info, debug\r\nlogging.level: info\r\n\r\n# If enabled, Packetbeat periodically logs its internal metrics that have changed\r\n# in the last period. For each metric that changed, the delta from the value at\r\n# the beginning of the period is logged. Also, the total values for\r\n# all non-zero internal metrics are logged on shutdown. The default is true.\r\nlogging.metrics.enabled: true\r\n\r\n# The period after which to log the internal metrics. The default is 30s.\r\nlogging.metrics.period: 30s\r\n\r\n# Logging to rotating files. Set logging.to_files to false to disable logging to\r\n# files.\r\nlogging.to_files: true\r\n\r\n# ============================= X-Pack Monitoring ==============================\r\n# Packetbeat can export internal metrics to a central Elasticsearch monitoring\r\n# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The\r\n# reporting is disabled by default.\r\n# Set to true to enable the monitoring reporter.\r\nmonitoring.enabled: true\r\n\r\n# Uncomment to send the metrics to Elasticsearch. Most settings from the\r\n# Elasticsearch output are accepted here as well.\r\n# Note that the settings should point to your Elasticsearch *monitoring* cluster.\r\n# Any setting that is not set is automatically inherited from the Elasticsearch\r\n# output configuration, so if you have the Elasticsearch output configured such\r\n# that it is pointing to your Elasticsearch monitoring cluster, you can simply\r\n# uncomment the following line.\r\nmonitoring.elasticsearch:\r\n  # Array of hosts to connect to.\r\n  # Scheme and port can be left out and will be set to the default (http and 9200)\r\n  # In case you specify and additional path, the scheme is required: http:\/\/localhost:9200\/path\r\n  # IPv6 addresses should always be defined as: https:\/\/[2001:db8::1]:9200\r\n  #hosts: ['elasticsearch-demo:9200']\r\n\r\n# =============================== HTTP Endpoint ================================\r\n# Each beat can expose internal metrics through a HTTP endpoint. For security\r\n# reasons the endpoint is disabled by default. This feature is currently experimental.\r\n# Stats can be access through http:\/\/localhost:5066\/stats . For pretty JSON output\r\n# append ?pretty to the URL.\r\n# Defines if the HTTP endpoint is enabled.\r\nhttp.enabled: true\r\n\r\n# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe.\r\n# When using IP addresses, it is recommended to only use localhost.\r\nhttp.host: localhost\r\n\r\n# Port on which the HTTP endpoint will bind. Default is 5066.\r\nhttp.port: 5066<\/pre>\n<p style=\"text-align: justify;\">As you can see, we have included the description of each configuration option. Hopefully, it will be easier to understand it. However, the main idea behind it, is:<\/p>\n<ul>\n<li style=\"text-align: justify;\">Enable\u00a0<code class=\"literal\">icmp<\/code>, <code class=\"literal\">dns<\/code>, <code class=\"literal\">http<\/code> and <code class=\"literal\">tls<\/code> transanction protocols.<\/li>\n<li style=\"text-align: justify;\">Enable providers, which work by watching for events on the system and translating those events into internal autodiscover events with a common format.<\/li>\n<li style=\"text-align: justify;\">Send the collected data to Elasticsearch for indexing.<\/li>\n<li style=\"text-align: justify;\">Export internal metrics to a central Elasticsearch monitoring cluster, by enabling x-pack monitoring. In our case, we will be using the same cluster.<\/li>\n<li>Enable experimental HTTP endpoint, which exposes internal metrics.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">You might be curious why in this beat, when we want to reference it inside the configuration <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">YAML<\/code> file, we use <code>localhost<\/code>. We will explain the main reason later in this post, when we analyze its <code>docker-compose<\/code> file.<\/p>\n<p>Now, we create a separate docker-compose file under <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">elastic-stack-single-node-cluster\/<\/code> and name it <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">docker-compose-packetbeat.yml<\/code>.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">version: '3.9'\r\nservices:\r\n  packetbeat-demo:\r\n    hostname: packetbeat-demo\r\n    container_name: packetbeat-demo\r\n    build:\r\n      context: .\/packetbeat\r\n      dockerfile: Dockerfile\r\n      args:\r\n        - ELK_VERSION=${ELK_VERSION}\r\n    ports:\r\n      - 5566:5066\r\n    user: packetbeat\r\n    cap_add:\r\n      - NET_ADMIN\r\n    # disable strict permission checks\r\n    command: [ '-e', '-v', '--strict.perms=false' ]\r\n    network_mode: host # Mandatory to monitor HOST filesystem, memory, processes,...<\/pre>\n<p style=\"text-align: justify;\">By default, Docker networking will connect the Packetbeat container to an isolated virtual network, with a limited view of network traffic. We use <code>docker-compose<\/code>&#8216;s option <code>network_mode: host<\/code>, because we wish to connect the container directly to the host network in order to see traffic destined for, and originating from, the host system.<\/p>\n<p style=\"text-align: justify;\">So, for our use case, we have the Packetbeat container running with host networking and not attach it to the docker networks. Because of that, we are no longer able to connect it to the elasticsearch instance via <code>http:\/\/elasticsearch-demo:9200<\/code>, so replaced this config value to <code>http:\/\/localhost:9200<\/code> instead. All this is done in <code class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">packetbeat.yml<\/code>.<\/p>\n<p style=\"text-align: justify;\">Moreover, under Docker, Packetbeat runs as a non-root user, but requires some privileged network capabilities to operate correctly. Option <code class=\"literal\">cap_add: NET_ADMIN<\/code> needs to be available to the container.<\/p>\n<p style=\"text-align: justify;\">Great. We are ready to start Packetbeat, by executing the following command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">$ docker-compose -f docker-compose-packetbeat.yml up -d --build<\/pre>\n<p style=\"text-align: justify;\">If you go to <a href=\"http:\/\/localhost:5601\/app\/dashboards#\/list\">Analytics &gt; Dashboards<\/a> and look for a dashboard called <code>[Packetbeat] Overview ECS<\/code>. Click it and you will see an overview of the network&#8217;s metrics:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"662\" data-permalink=\"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/31\/capturing-the-network-traffic-with-packetbeat\/packetbeat_dashboard_overview_ecs\/\" data-orig-file=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png\" data-orig-size=\"5114,2532\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"CANCHITO-DEV: [Packetbeat] Overview ECS\" data-image-description=\"\" data-image-caption=\"&lt;p&gt;CANCHITO-DEV: [Packetbeat] Overview ECS&lt;\/p&gt;\n\" data-large-file=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs-1024x507.png\" class=\"aligncenter wp-image-662 size-full\" src=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png\" alt=\"CANCHITO-DEV: [Packetbeat] Overview ECS\" width=\"5114\" height=\"2532\" srcset=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png 5114w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs-300x149.png 300w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs-1024x507.png 1024w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs-768x380.png 768w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs-1536x760.png 1536w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs-2048x1014.png 2048w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs-624x309.png 624w\" sizes=\"auto, (max-width: 5114px) 100vw, 5114px\" \/><\/p>\n<h2>Clean Up<\/h2>\n<p>To do a complete clean up, execute this command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">$ docker-compose -f docker-compose-es-single-node.yml -f docker-compose-filebeat-to-elasticseach.yml -f docker-compose-filebeat-to-logstash.yml -f docker-compose-logstash.yml -f docker-compose-metricbeat.yml -f docker-compose-heartbeat.yml -f docker-compose-packetbeat.yml down -v<\/pre>\n<h2 style=\"text-align: justify;\">Summary<\/h2>\n<p style=\"text-align: justify;\">In this post, we learn about Packetbeat and how it can be deployed within a dockerized enviroment. Once deployed, Packetbeat sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions.<\/p>\n<p style=\"text-align: justify;\">Please feel free to contact us. We will gladly response to any doubt or question you might have. In the mean time, you can download the source code from our official <a href=\"https:\/\/github.com\/canchito-dev\/elastic-stack-demo\">GitHub<\/a> repository.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Discover how Packetbeat sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions. All within a dockerized enviroment.<\/p>\n","protected":false},"author":1,"featured_media":608,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[94,62,74,88,84,101,1],"tags":[104,63,75,90,89,109],"class_list":["post-654","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beat","category-docker","category-docker-compose","category-elastic-stack","category-elk","category-packetbeat","category-uncategorized","tag-beat","tag-docker","tag-docker-compose","tag-elastic-stack","tag-elk","tag-packetbeat"],"aioseo_notices":[],"jetpack_featured_media_url":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats-logo-color.png","jetpack_shortlink":"https:\/\/wp.me\/p8EwXo-ay","jetpack-related-posts":[{"id":590,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/02\/elastic-stack-beats\/","url_meta":{"origin":654,"position":0},"title":"Introduction to Elastic Stack Beats","author":"canchitodev","date":"January 2, 2022","format":false,"excerpt":"How is information sent to Elasticsearch? The answer is simple, using Beats or Logstash. In this post, we will give a brief introduction to Beats.","rel":"","context":"In &quot;Auditbeat&quot;","block_context":{"text":"Auditbeat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/auditbeat\/"},"img":{"alt_text":"CANCHITO-DEV: Beats basic diagram","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=1050%2C600 3x"},"classes":[]},{"id":564,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2021\/12\/26\/introduction-to-elastic-stack\/","url_meta":{"origin":654,"position":1},"title":"Introduction to Elastic Stack","author":"canchitodev","date":"December 26, 2021","format":false,"excerpt":"Hello friends! In this post, we will give you a small introduction to Elastic Stack including all the products that build it.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: Elastic Stack architecture in Docker","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=1050%2C600 3x"},"classes":[]},{"id":665,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/02\/05\/audit-the-activities-of-users-and-processes-on-your-systems-with-auditbeat\/","url_meta":{"origin":654,"position":2},"title":"Audit the activities of users and processes on your systems with Auditbeat","author":"canchitodev","date":"February 5, 2022","format":false,"excerpt":"Get to know Auditbeat and learn how it can help you by auditing the activities of the users and processes on your systems. All within a dockerized enviroment.","rel":"","context":"In &quot;Auditbeat&quot;","block_context":{"text":"Auditbeat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/auditbeat\/"},"img":{"alt_text":"CANCHITO-DEV: Kibana's Management > Stack Monitoring Complete","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png?resize=1050%2C600 3x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png?resize=1400%2C800 4x"},"classes":[]},{"id":588,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2021\/12\/31\/deploying-filebeat-in-docker\/","url_meta":{"origin":654,"position":3},"title":"Deploying Filebeat in docker","author":"canchitodev","date":"December 31, 2021","format":false,"excerpt":"Learn about Filebeat and how it interact with the rest of the Elastic Stack components while you deploy it using docker.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: Filebeat Overview","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=700%2C400 2x"},"classes":[]},{"id":636,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/27\/collect-metrics-with-metricbet\/","url_meta":{"origin":654,"position":4},"title":"Collect Metrics with Metricbet","author":"canchitodev","date":"January 27, 2022","format":false,"excerpt":"Learn how you could use Metricbeat to monitor your servers by collecting metrics from the system and services running on the server.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: [Metricbeat System] Host overview ECS","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=1050%2C600 3x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=1400%2C800 4x"},"classes":[]},{"id":560,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2021\/12\/26\/deploying-elastic-stack-cluster-single-node-in-docker\/","url_meta":{"origin":654,"position":5},"title":"Deploying Elastic Stack Cluster (single node) in docker","author":"canchitodev","date":"December 26, 2021","format":false,"excerpt":"Let us show you how to deploy a single node Elastic Stack cluster using docker. Hope you find in it useful!","rel":"","context":"In &quot;Elastic Stack&quot;","block_context":{"text":"Elastic Stack","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/elastic-stack\/"},"img":{"alt_text":"CANCHITO-DEV: Kibana sample eCommerce orders data","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/kibana-sample-ecommerce-orders-data.png?resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts\/654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/comments?post=654"}],"version-history":[{"count":4,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts\/654\/revisions"}],"predecessor-version":[{"id":678,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts\/654\/revisions\/678"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/media\/608"}],"wp:attachment":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/media?parent=654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/categories?post=654"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/tags?post=654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}