How to Install and Configure Beats (Packetbeat) for ELK Monitoring

Beats is an open‑source data shipper from Elastic that collects system and application metrics and forwards them to Elasticsearch or Logstash for further processing.

The main Beats include Packetbeat (network traffic), Topbeat (system metrics), Filebeat (log files), Winlogbeat (Windows event logs) and the ability to create custom Beats using Go.

Typical deployment topology consists of Beats agents on monitored hosts, optional Logstash as a relay, Elasticsearch for storage and aggregation, and Kibana for visualization.

Installation steps (example for Packetbeat on a Linux host):

sudo yum install libpcap

wget https://download.elastic.co/beats/packetbeat/packetbeat-1.1.2-x86_64.rpm

sudo rpm -vi packetbeat-1.1.2-x86_64.rpm

Configure the shipper by editing /etc/packetbeat/packetbeat.yml and optionally set a Logstash output.

Load the Elasticsearch index template:

curl -XPUT 'http://<ELK_IP>:9200/_template/packetbeat' -d @/etc/packetbeat/packetbeat.template.json

Start and stop the service:

sudo /etc/init.d/packetbeat start

sudo /etc/init.d/packetbeat stop

Test the installation with curl commands against Elasticsearch and verify collected data with: curl -XGET 'http://localhost:9200/topbeat-*/_search?pretty' To visualize the data, download and load the Beats Kibana dashboards:

wget http://download.elastic.co/beats/dashboards/beats-dashboards-1.1.1.zip

unzip beats-dashboards-1.1.1.zip

cd beats-dashboards-1.1.1/ && ./load.sh

(or ./load.sh -url http://<ELK_IP>:9200)

After loading, select the Packetbeat dashboard in Kibana to view real‑time monitoring charts.