Closed lilychou0105 closed 4 years ago
dsnslab
commented
4 years ago Hi We have some question need to ask.
by TA
lilychou0105
commented
4 years ago Sorry for my unclear description.
I have something to confirm about using packetbeat for the website visiting scenario.
So far I only have event action showing network-flow. However, I have tired others’ modification of yml file that I found by google. But it just doesn’t have the two fields mention above. So I’m wondering if I miss some part or it is correct?
dsnslab
commented
4 years ago HI, it's ok~ So, is there still problem that you think the same action log is different?
lilychou0105
commented
4 years ago For that problem, it's solved temperately, but I think it has some bugs. That it, if I set up something like below. After I rebbot the system, it still check, BUT the winlogbeat can't capture this, so the action log will be different. Therefore, I need to redo all the setting, then it will back to normal. I think it may have some tricky problem between Window system and winlogbeat. QQ
For packetbeat, I tried many different script, but the website address neither show up on my event viewer, nor on kibana using logstash. Here's an example I followed the setting of yml, it seemed really simple!! BUT, I still can't get the name: address .
https://cloud.tencent.com/developer/article/1010025
dsnslab
commented
4 years ago For the first part. It sounds really weirdQQ. Have u check the event viewer before u redo the setting? Did event viewer catch the log? For the second part. You can look up how to catch http traffic with packetbeat.
lilychou0105
commented
4 years ago Yes, I check the event viewer. It do catch the event code, but it is sent to Kibana in a strange way that logs information will be different and even missing some part...
https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html
I have try this and other similar document. However, I still can only get the destination IP, but not the URL (exact address).
afcidk
commented
4 years ago Your destination ip looks weird, did you set an appropriate network interface in your packetbeat config? You can use .\packetbeat.exe devices to see all available devices.
lilychou0105
commented
4 years ago @afcidk Thanks for your help :))
kc97y
commented
4 years ago I use .\packetbeat.exe devices to check my device and reference other way you guys mentioned, but I still can't see the exact address.
My packetbeat.yml (http part):
- type: http
# Configure the ports where to listen for HTTP traffic. You can disable
# the HTTP protocol by commenting out the list of ports.
enabled: true
ports: [80, 8080, 8000, 5000, 8002]
send_all_headers: true
split_cookie: true
send_request: true
send_response: trueMaybe I did something wrong here? My result looks like the one above and I'm wondering how to fix this problem. Hope someone can give me any advice, thank you.
kc97y
commented
4 years ago I found that I opened the wrong webpage... orz Now I find the log with correct destination-ip. But still can't see the URL. QQ
lilychou0105
commented
4 years ago @kc97y Actually, when I first change the script. I have the same problem as yours. After I restart packetbeat and kibana, everything wet well :> That's really strange I know QQ Maybe you can try
I have a problem about different format of event action! First, it appear like this
Then, after I reboot both Windows and Ubuntu, it somehow change to this
However, there's no different between the code and setting. Furthermore, some fields are't available now! e.g. process.name ,that's really bothering. Any idea about this differences? Appreciate any response!