Packetbeat如何配置抓取域名和cookie

Beats | 作者 0c0c0f | 发布于2017年07月23日 | 阅读数:2643

1、Packetbeat默认配置不能抓取到域名和cookie,如何才能抓取到cookie,求大牛指导。
{

"@timestamp": "2017-07-23T06:57:10.919Z",

"beat": {

"hostname": "xx",

"name": "xx",

"version": "5.5.0"

},

"bytes_in": 618,

"bytes_out": 533,

"client_ip": "xx",

"client_port": 24039,

"client_proc": "",

"client_server": "",

"direction": "out",

"http": {

"request": {

"headers": {

"content-length": 122,

"content-type": "application/x-www-form-urlencoded"

},

"params": "clientCityName=%E5%8C%97%E4%BA%AC\u0026clientOSName=Win\u0026clientProvinceName=%E5%8C%97%E4%BA%AC\u0026dataType=00\u0026platformStr=01_01_0000_000000_%E9%A6%96%E9%A1%B5\u0026referer="

},

"response": {

"code": 200,

"headers": {

"content-length": 0

},

"phrase": "OK"

}

},

"ip": "101.37.42.237",

"method": "POST",

"path": "/userBehaviorRecord_sendUserBeHaviorData.action",

"port": 80,

"proc": "",

"query": "POST /userBehaviorRecord_sendUserBeHaviorData.action",

"responsetime": 148,

"server": "",

"status": "OK",

"type": "http"

}
已邀请:

medcl - 今晚打老虎。

赞同来自: zhangyufu

试了一下 ok 的啊,
配置文件参考:
packetbeat.protocols.http:
# Enable HTTP monitoring. Default: true
enabled: true

# Configure the ports where to listen for HTTP traffic. You can disable
# the HTTP protocol by commenting out the list of ports.
ports: [80, 8080, 8000, 5000, 8002]

# Uncomment the following to hide certain parameters in URL or forms attached
# to HTTP requests. The names of the parameters are case insensitive.
# The value of the parameters will be replaced with the 'xxxxx' string.
# This is generally useful for avoiding storing user passwords or other
# sensitive information.
# Only query parameters and top level form parameters are replaced.
# hide_keywords: ['pass', 'password', 'passwd']

# A list of header names to capture and send to Elasticsearch. These headers
# are placed under the `headers` dictionary in the resulting JSON.
send_headers: true

# Instead of sending a white list of headers to Elasticsearch, you can send
# all headers by setting this option to true. The default is false.
send_all_headers: true

# The list of content types for which Packetbeat includes the full HTTP
# payload in the response field.
#include_body_for: []

# If the Cookie or Set-Cookie headers are sent, this option controls whether
# they are split into individual values.
split_cookie: false

# The header field to extract the real IP from. This setting is useful when
# you want to capture traffic behind a reverse proxy, but you want to get the
# geo-location information.
#real_ip_header:

# If this option is enabled, the raw message of the request (`request` field)
# is sent to Elasticsearch. The default is false.
send_request: true

# If this option is enabled, the raw message of the response (`response`
# field) is sent to Elasticsearch. The default is false.
send_response: true

捕获到的请求:
{
"@timestamp": "2017-07-24T01:52:46.541Z",
"beat": {
"hostname": "Medcl.local",
"name": "Medcl.local",
"version": "5.4.3"
},
"bytes_in": 1515,
"bytes_out": 189,
"client_ip": "192.168.0.106",
"client_port": 52688,
"client_proc": "",
"client_server": "",
"direction": "out",
"http": {
"request": {
"headers": {
"accept": "text/css,*/*;q=0.1",
"accept-encoding": "gzip, deflate",
"accept-language": "zh-cn",
"cache-control": "max-age=0",
"connection": "keep-alive",
"content-length": 0,
"cookie": "wor;wp-settings-time-1=1483838244; __utma=131518867.1943952710.1446362307.1499730647.1500860679.30; __utmb=131518867.17.10.1500860679; __utmc=131518867; __utmz=131518867.1479867462.12.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1",
"host": "log.medcl.net",
"if-modified-since": "Thu, 07 Jul 2016 08:24:36 GMT",
"if-none-match": "\"577e11c4-176\"",
"referer": "http://log.medcl.net/about/",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"
},
"params": "ver=2.70"
},
"response": {
"code": 304,
"headers": {
"connection": "keep-alive",
"content-length": 0,
"date": "Mon, 24 Jul 2017 01:52:46 GMT",
"etag": "\"577e11c4-176\"",
"last-modified": "Thu, 07 Jul 2016 08:24:36 GMT",
"server": "nginx/1.10.0 (Ubuntu)"
},
"phrase": "Modified"
}
},
"ip": "106.186.120.253",
"method": "GET",
"path": "/wp-content/plugins/wp-pagenavi/pagenavi-css.css",
"port": 80,
"proc": "",
"query": "GET /wp-content/plugins/wp-pagenavi/pagenavi-css.css",
"request": "GET /wp-content/plugins/wp-pagenavi/pagenavi-css.css?ver=2.70 HTTP/1.1\r\nHost: log.medcl.net\r\nAccept-Encoding: gzip, deflate\r\nCookie: wordp4ad6cc68a%3Dc%26alium%26libraryContent%3Dbrowse%26mfold%3Do; wp-settings-time-1=1483838244; __utma=131518867.1943952710.1446362307.1499730647.1500860679.30; __utmb=131518867.17.10.1500860679; __utl 2016 08:24:36 GMT\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4\r\nReferer: http://log.medcl.net/about/\r\nCache-Control: max-age=0\r\nAccept-Language: zh-cn\r\n\r\n",
"response": "HTTP/1.1 304 Not Modified\r\nServer: nginx/1.10.0 (Ubuntu)\r\nDate: Mon, 24 Jul 2017 01:52:46 GMT\r\nLast-Modified: Thu, 07 Jul 2016 08:24:36 GMT\r\nConnection: keep-alive\r\nETag: \"577e11c4-176\"\r\n\r\n",
"responsetime": 147,
"server": "",
"status": "OK",
"type": "http"
}

0c0c0f

赞同来自:

补充一句我是在win下运行的
$ ./packetbeat -e -c packetbeat.yml

0c0c0f

赞同来自:

packetbeat.protocols.http:
  send_headers: ["User-Agent","Cookie","x-real-ip","referer","Set-Cookie","Host","x-forwarded-for"]

ok 结贴
 

要回复问题请先登录注册