0

I have a web server and I need to analyze the traffic and find potential anomalies in it. My first idea was to use filebeat to take the apache web access logs and pass it to the ELK stack. The nginx web access logs are in the following form:

42.236.10.125 - - [19/Dec/2020:15:23:11 +0100] "GET /templates/jp_hotel/css/template.css HTTP/1.1" 200 10004 "http://www.almhuette-raith.at/" "Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN" "-"
42.236.10.117 - - [19/Dec/2020:15:23:11 +0100] "GET /templates/jp_hotel/css/layout.css HTTP/1.1" 200 1801 "http://www.almhuette-raith.at/" "Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN" "-"

However, I noticed that packetbeat also exists, but based on my research I found out that it provides a similar output:

enter image description here

So my question is what is the difference between the two of them and should I use both? Is there a feature that packetbeat has and it might be useful for my case?

Kosmylo
  • 436
  • 1
  • 6
  • 20
  • packetbeat and filebeat do not produce a similar output. What makes you think they do? – Val May 11 '22 at 07:31
  • @Val Based on what I have studied until now and what I have shown above, I reached to this conclusion. I mean filebeat helps keeping and centralizing logs (in my case apache web access logs) and packetbeat produces the same logs as I can see. – Kosmylo May 11 '22 at 07:37
  • Packetbeat is a network traffic analyzer, it doesn't produce logs (at least not in the same vein as what Filebeat does, which only tails existing logs produced by other system), but metrics related to packets transitting over the network, they are two different things, which can end up being complimentary when correlated (e.g. by host). – Val May 11 '22 at 07:54

1 Answers1

1

I would use packetbeat if you are reviewing strictly network traffic and NOT logs. If you are analyzing logs, use Filebeat. You can use both tools, but make sure to understand what you're trying to have the tool ingest.

Mike R
  • 464
  • 5
  • 16
  • Apart from the fact that I need to perform network traffic in an nginx web server, I also need to save somewhere the web access logs that are produced from the nginx web server. So, I suppose I should use them both? My main question is what kind of metrics can packetbeat offer me that facilitate network traffic monitoring? – Kosmylo May 18 '22 at 13:16