I'm using packbeat to monitor network traffic for a SIEM-like setup with ELK. I'd like to push it to a large number of machines but the setup requires manual identification in packetbeat.yml.
Has any been able to script the process of selecting the appropriate interface to monitor for packetbeat?
I've put this together - which uses 3 separate .yml
ConfigTemplate.yml which contains the rest of the packetbeat.yml minus the interfaces.
Interfaces.yml which is a temp file used to write the interfaces to.
packetbeat.yml which is the final config file packetbeat will use.
The python script should be in the packetbeat directory along with the config .yml's
The only limitation is that it needs python on the host machines - the next stage is to see if it can be done with powershell.
Hope this helps anyone else! Any improvements are welcome!
import subprocess
devices = subprocess.check_output(["powershell.exe", "(./packetbeat.exe devices).count"])
devicesCount = int(devices.decode('utf-8'))
print(devicesCount)
deviceCount = range(devicesCount)
with open('ConfigTemplate.yml', 'r') as original: data1 = original.read()
with open('Interfaces.yml', 'w') as modified:
for i in deviceCount:
modified.write("packetbeat.interfaces.device: " + str(i)+ "\n" )
with open('Interfaces.yml', 'r') as original: data2 = original.read()
with open('Packetbeat.yml', 'w') as modified2: modified2.write("# ================== Set listening interfaces ==================" +"\n"+ data2 + "\n" + data1 + "\n")
Powershell version -
$count = (C:\path\to\packetbeat.exe - devices).count
$line = ''
for($i=0; $i -le ($count-1); $i++){
$line +="packetbeat.interfaces.device:"+" $i `r`n"
}
$line | Out-File -FilePath "C:\path\to\packetbeat\Interfaces.yml"
$configTemplate = Get-Content -Path "C:\path\to\packetbeat\ConfigTemplate.yml"
$interfaces = Get-Content -Path "C:\path\to\packetbeat\Interfaces.yml"
$interfaces + "`r`n" + $configTemplate | Out-File -FilePath "C:\path\to\packetbeat\packet.yml"