CODEWITHSUNDEEP
elasticsearchelkpacketbeat
Chance212
Chance212

Reputation: 31

Packetbeat interface detection

I'm using packbeat to monitor network traffic for a SIEM-like setup with ELK. I'd like to push it to a large number of machines but the setup requires manual identification in packetbeat.yml.

Has any been able to script the process of selecting the appropriate interface to monitor for packetbeat?

Upvotes: 0

Views: 398

Answers (2)

Chance212
Chance212

Reputation: 31

Powershell version - 

$count = (C:\path\to\packetbeat.exe - devices).count

$line = ''


for($i=0; $i -le ($count-1); $i++){

    $line +="packetbeat.interfaces.device:"+" $i `r`n" 

    }

$line  | Out-File -FilePath "C:\path\to\packetbeat\Interfaces.yml"

$configTemplate = Get-Content -Path "C:\path\to\packetbeat\ConfigTemplate.yml"

$interfaces = Get-Content -Path "C:\path\to\packetbeat\Interfaces.yml"

$interfaces + "`r`n" + $configTemplate | Out-File -FilePath "C:\path\to\packetbeat\packet.yml"

Upvotes: 0

Chance212
Chance212

Reputation: 31

I've put this together - which uses 3 separate .yml

ConfigTemplate.yml which contains the rest of the packetbeat.yml minus the interfaces.

Interfaces.yml which is a temp file used to write the interfaces to.

packetbeat.yml which is the final config file packetbeat will use.

The python script should be in the packetbeat directory along with the config .yml's

The only limitation is that it needs python on the host machines - the next stage is to see if it can be done with powershell.

Hope this helps anyone else! Any improvements are welcome!

import subprocess

devices = subprocess.check_output(["powershell.exe", "(./packetbeat.exe   devices).count"])

devicesCount = int(devices.decode('utf-8'))

print(devicesCount)

deviceCount = range(devicesCount)


with open('ConfigTemplate.yml', 'r') as original: data1 = original.read()


with open('Interfaces.yml', 'w') as modified: 

  for i in deviceCount:
    modified.write("packetbeat.interfaces.device: " + str(i)+ "\n" )


with open('Interfaces.yml', 'r') as original: data2 = original.read()


with open('Packetbeat.yml', 'w') as modified2: modified2.write("# ================== Set listening interfaces ==================" +"\n"+ data2 + "\n" + data1 + "\n")

Upvotes: 0

Related Questions