Search code examples
packetbeat

Packetbeat dashboard installation

I am trying to install packetbeat dashboard and this command works as expected. I have installed matching version of Kibana.

docker run docker.elastic.co/beats/packetbeat:5.5.0 ./scripts/import_dashboards  -es http://172.31.73.234:9200

When I try to install latest version of packetbeat, I get this error:

docker run docker.elastic.co/beats/packetbeat:6.1.3  ./scripts/import_dashboards  -es http://1.2.3.4:9200
/usr/local/bin/docker-entrypoint: line 13: /usr/share/packetbeat/packetbeat: Operation not permitted

I have checked that packetbeat and kibana are using the same version 6.1.3

1) Why does line 13 fails in case of version 6.1.3 and not in 5.5.0?

2) Is there any other way to install packetbeat using docker?

Update:

In other words, this works where elastic and packetbeat both using the same version 5.6.7:

 docker run docker.elastic.co/beats/packetbeat:5.6.7 ./scripts/import_dashboards  -es https://0457e68d58e2479e1e73facc72f6cc56.us-east-1.aws.found.io:9243 -user elastic -pass XXX

But this does not with either elastic version 6 or kibana API:

# docker run docker.elastic.co/beats/packetbeat:6.1.3 ./scripts/import_dashboards  -es  https://db301e3a9602f088035cc828312ebdf2.us-east-1.aws.found.io:9243 -user elastic -pass xxx
/usr/local/bin/docker-entrypoint: line 13: /usr/share/packetbeat/packetbeat: Operation not permitted

# docker run docker.elastic.co/beats/packetbeat:5.6.7 ./scripts/import_dashboards  -es  https://db301e3a9602f088035cc828312ebdf2.us-east-1.aws.found.io:9243 -user elastic -pass xxx
Initialize the Elasticsearch 6.1.3 loader
Elasticsearch URL https://db301e3a9602f088035cc828312ebdf2.us-east-1.aws.found.io:9243
For Elasticsearch version >= 6.0.0, the Kibana dashboards need to be imported via the Kibana API.

# docker run docker.elastic.co/beats/packetbeat:6.1.3 ./scripts/import_dashboards  -es  https://c2ddaa70b10cb93643b031042d4f6554.us-east-1.aws.found.io:9243 -user elastic -pass xxx
/usr/local/bin/docker-entrypoint: line 13: /usr/share/packetbeat/packetbeat: Operation not permitted

# docker run docker.elastic.co/beats/packetbeat:5.6.7 ./scripts/import_dashboards  -es  https://c2ddaa70b10cb93643b031042d4f6554.us-east-1.aws.found.io:9243 -user elastic -pass xxx
fail to create the Elasticsearch loader: Error creating Elasticsearch client: Couldn't connect to any of the configured Elasticsearch hosts
Exiting
Solution

  • This is something close to what I wanted to achieve. It is not based on docker, but it works!

    1) Download packetbeat:

    curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-6.1.3-x86_64.rpm

sudo rpm -vi packetbeat-5.4.1-x86_64.rpm

cd /usr/share/packetbeat/

    2) Configure packetbeat.yml file:

    #-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["611878ce312a4bc30040208f62a9c9341.us-east-1.aws.found.io:9243"]

  # Optional protocol and basic auth credentials.
  protocol: "https"
  username: "elastic"
  password: "xxx"

#============================== Kibana =====================================

setup.kibana:

  host: "https://b0440709b5f76af035e0a5915a763ebf1.us-east-1.aws.found.io:9243"

#============================== Dashboards =====================================
setup.dashboards.enabled: true

    3) Start packetbeat service

    /etc/init.d/packetbeat restart