Hi jan
tanks a lot for replay
Jan , please explain more about this sentence .
/I would clone the filebeat collector, and adjust the settings and the default configuration (and the binaries) to match filebeat./
thank you
**this is file Packetbeat Configuration on windows server 2016 **
#################### Packetbeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The packetbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/packetbeat/index.html
# =============================== Network device ===============================
# Select the network interface to sniff the data. On Linux, you can use the
# “any” keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: 0
# =================================== Flows ====================================
# Set enabled: false or comment out all options to disable flows reporting.
packetbeat.flows:
** # Set network flow timeout. Flow is killed if no packet is received before being**
** # timed out.**
** timeout: 30s**
** # Configure reporting period. If set to -1, only killed flows will be reported**
** period: 10s**
# =========================== Transaction protocols ============================
packetbeat.protocols:
- type: icmp
** # Enable ICMPv4 and ICMPv6 monitoring. Default: false**
** enabled: true**
- type: amqp
** # Configure the ports where to listen for AMQP traffic. You can disable**
** # the AMQP protocol by commenting out the list of ports.**
** ports: [5672]**
- type: cassandra
** #Cassandra port for traffic monitoring.**
** ports: [9042]**
- type: dhcpv4
** # Configure the DHCP for IPv4 ports.**
** ports: [67, 68]**
- type: dns
** # Configure the ports where to listen for DNS traffic. You can disable**
** # the DNS protocol by commenting out the list of ports.**
** ports: [53]**
- type: http
** # Configure the ports where to listen for HTTP traffic. You can disable**
** # the HTTP protocol by commenting out the list of ports.**
** ports: [80, 8080, 8000, 5000, 8002]**
- type: memcache
** # Configure the ports where to listen for memcache traffic. You can disable**
** # the Memcache protocol by commenting out the list of ports.**
** ports: [11211]**
- type: mysql
** # Configure the ports where to listen for MySQL traffic. You can disable**
** # the MySQL protocol by commenting out the list of ports.**
** ports: [3306,3307]**
- type: pgsql
** # Configure the ports where to listen for Pgsql traffic. You can disable**
** # the Pgsql protocol by commenting out the list of ports.**
** ports: [5432]**
- type: redis
** # Configure the ports where to listen for Redis traffic. You can disable**
** # the Redis protocol by commenting out the list of ports.**
** ports: [6379]**
- type: thrift
** # Configure the ports where to listen for Thrift-RPC traffic. You can disable**
** # the Thrift-RPC protocol by commenting out the list of ports.**
** ports: [9090]**
- type: mongodb
** # Configure the ports where to listen for MongoDB traffic. You can disable**
** # the MongoDB protocol by commenting out the list of ports.**
** ports: [27017]**
- type: nfs
** # Configure the ports where to listen for NFS traffic. You can disable**
** # the NFS protocol by commenting out the list of ports.**
** ports: [2049]**
- type: tls
** # Configure the ports where to listen for TLS traffic. You can disable**
** # the TLS protocol by commenting out the list of ports.**
** ports:**
** - 443 # HTTPS**
** - 993 # IMAPS**
** - 995 # POP3S**
** - 5223 # XMPP over SSL**
** - 8443**
** - 8883 # Secure MQTT**
** - 9243 # Elasticsearch**
# ======================= Elasticsearch template setting =======================
setup.template.settings:
** index.number_of_shards: 1**
** #index.codec: best_compression**
** #_source.enabled: false**
# ================================== General ===================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: [“service-X”, “web-tier”]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the setup command.
setup.dashboards.enabled: true
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
** # Kibana Host**
** # Scheme and port can be left out and will be set to the default (http and 5601)**
** # In case you specify and additional path, the scheme is required: http://localhost:5601/path**
** # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601**
** #host: “localhost:5601”**
** # Kibana Space ID**
** # ID of the Kibana Space into which the dashboards should be loaded. By default,**
** # the Default Space will be used.**
** #space.id:**
# =============================== Elastic Cloud ================================
# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the output.elasticsearch.hosts and
# setup.kibana.host options.
# You can find the cloud.id in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the output.elasticsearch.username and
# output.elasticsearch.password settings. The format is <user>:<pass>.
#cloud.auth:
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
** # Array of hosts to connect to.**
** hosts: [“192.168.19.128:9200”]**
** # Protocol - either http (default) or https.**
** #protocol: “https”**
** # Authentication credentials - either API key or username/password.**
** #api_key: “id:api_key”**
** #username: “elastic”**
** #password: “changeme”**
# ------------------------------ Logstash Output -------------------------------
output.logstash:
** # The Logstash hosts**
** hosts: [“192.168.19.128:5044”]**
** # Optional SSL. By default is off.**
** # List of root certificates for HTTPS server verifications**
** #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]**
** # Certificate for SSL client authentication**
** #ssl.certificate: “/etc/pki/client/cert.pem”**
** # Client Certificate Key**
** #ssl.key: “/etc/pki/client/cert.key”**
# ================================= Processors =================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
** - add_host_metadata: ~**
** - add_cloud_metadata: ~**
** - add_docker_metadata: ~**
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are “beat”,
# “publish”, “service”.
#logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
# Packetbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Packetbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch monitoring cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
# ================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true
##############################################################
and sidecar.yml file config 
###########################################
# The URL to the Graylog server API.
# Default: "http://127.0.0.1:9000/api/"
server_url: "http://192.168.19.128:9000/api"
# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "xxxxxxxxxxxxxxx"
# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn’t exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:C:\Program Files\Graylog\sidecar\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
# Default: "file:C:\Program Files\Graylog\sidecar\node-id"
node_id: "file:C:\Program Files\Graylog\sidecar\node-id"
# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: "webostan"
# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10
# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: false
# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true
# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
# list_log_files:
# - "/var/log/nginx"
# - "/opt/app/logs"
#
# Default: empty list
#list_log_files: []
# Directory where the sidecar stores internal data.
#cache_path: "C:\Program Files\Graylog\sidecar\cache"
# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\Program Files\Graylog\sidecar\logs"
# The maximum size of the log file before it gets rotated.
log_rotate_max_file_size: "10MiB"
# The maximum number of old log files to retain.
log_rotate_keep_files: 10
# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\Program Files\Graylog\sidecar\generated"
# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
# collector_binaries_whitelist:
# "C:\Program Files\Graylog\sidecar\winlogbeat.exe"
# "C:\Program Files\Filebeat\filebeat.exe"
# "C:\Program Files\nxlog\nxlog.exe"
# Example disable whitelisting:
# collector_binaries_whitelist: "c:\Program Files\nxlog\nxlog.exe"
#
Default:
Collector_binaries_whitelist:
# - "c:\Program Files\nxlog\nxlog.exe"
# - "C:\Program Files\Graylog\sidecar\filebeat.exe"
** - “C:\Program Files\Graylog\sidecar\winlogbeat.exe”**
# - "C:\Program Files\Filebeat\filebeat.exe"
** - “C:\Program Files\Packetbeat\packetbeat.exe”**
** - “C:\Program Files\Metricbeat\metricbeat.exe”**
# - "C:\Program Files\Heartbeat\heartbeat.exe"
# - "C:\Program Files\Auditbeat\auditbeat.exe"
# - "C:\Program Files\nxlog\nxlog.exe"
###################################################
I created input “beat” on port 5044 in graylog server for Packetbeat.
but how to checking output configuration match the settings of the input?
Help me please
