Date: Fri, 29 Mar 2024 07:40:01 +0000 (UTC) Message-ID: <418036872.2045.1711698001235@50041d78312e> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_2044_1127219909.1711698001235" ------=_Part_2044_1127219909.1711698001235 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
There is no problem using the PacketB= eat and TopBeat inteded for the ELK - ElasticSe= arch, LogStash, Kibana stack with splunk, as these can log to file:
First, install theam as described in ELK - ElasticSearch, LogStash, Kibana
Then, set the output to file in the Beat's yml file (in either /etc/pack= etbeat/packetbeat.yml or /etc/topbeat/topbeat.yml):
# Configu= re what outputs to use when sending the data collected by the beat. # Multiple outputs may be used. output: ... ... ### File as output file: # Path to the directory where to save the generated files. The option i= s mandatory. path: "/tmp/packetbeat" # Name of the generated files. The default is `packetbeat` and it gener= ates files: `packetbeat`, `packetbeat.1`, `packetbeat.2`, etc. filename: packetbeat # Maximum size in kilobytes of each file. When this size is reached, th= e files are # rotated. The default value is 10 MB. rotate_every_kb: 10000 # Maximum number of files under path. When this number of files is reac= hed, the # oldest file is deleted and the rest are shifted from last to first. T= he default # is 7 files. number_of_files: 7
# Configu= re what outputs to use when sending the data collected by the beat. # Multiple outputs may be used. output: ... ... ### File as output file: # Path to the directory where to save the generated files. The option i= s mandatory. path: "/tmp/topbeat" # Name of the generated files. The default is `topbeat` and it generate= s files: `topbeat`, `topbeat.1`, `topbeat.2`, etc. filename: topbeat # Maximum size in kilobytes of each file. When this size is reached, th= e files are # rotated. The default value is 10 MB. rotate_every_kb: 10000 # Maximum number of files under path. When this number of files is reac= hed, the # oldest file is deleted and the rest are shifted from last to first. T= he default # is 7 files. number_of_files: 7
Then add, the file to splunk input.conf:
[monitor:= ///tmp/packetbeat/packetbeat] host=3Dmoserver index=3Dpacketbeat sourcetype=3Dpacketbeat-output [monitor:///tmp/topbeat/topbeat] host=3Dmoserver index=3Dtopbeat sourcetype=3Dtopbeat-output
These baby's log a lot of data... so I configure the sample rate for top= beat (can be done for packetbeat), and change it from 10 to 60 seconds:
input: # In seconds, defines how often to read server statistics period: 10