Lumu VA and Packetbeat

Lumu VA and Packetbeat

The Lumu Virtual Appliance (VA) offers the option to create Collectors, a seamless way to integrate with network metadata. In this quick guide, we show you how to configure Packetbeat in a Windows Server for DNS packet collection.

Network diagram with Lumu VA Collector for Packetbeat Figure 1 - Network diagram with Lumu VA Collector for Packetbeat.
If you are interested in getting started with Collectors, access our documentation.

Requirements

  1. The latest Packetbeat version. You can download it from the official website.
  2. The latest Npcap version. We recommend downloading it from the official website.

Npcap installation

Npcap is a packet sniffing library required by Packetbeat that sniffs the DNS traffic that passes through the Windows Server network interface.

The Npcap license is not included with Lumu. The Npcap free license allows a limited amount of installations for commercial use. To know more about Npcap licensing, access their documentation.
Installing Npcap requires executing the installer and following the default steps:
Keep the default parameters Figure 2 - Keep the default parameters.
End of the installation process Figure 3 - End of the installation process.

Packetbeat Installation

Packetbeat is the component in charge of reading and parsing the data captured by Npcap and sending it to the Lumu Virtual Appliance.

In this document, we show the installation procedure on a Windows Server, for other Operating Systems, consult Elastic’s official guide.
1. Extract the content of the .zip file you downloaded into the directory: “C:\Program Files ” and rename the folder as “Packetbeat”.
Packetbeat folder in Program Files Figure 4. Packetbeat folder in Program Files.

2. Open the Windows PowerShell as admin and run the following command to install Packetbeat as a service:

PS > cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat> .\install-service-packetbeat.ps1

If you get an alert about a system restriction, you need to set the execution policy for the session by running the following command:

PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1
Packetbeat installation script Figure 5. Packetbeat installation script.
3. To configure Packetbeat, go to the installation folder, e.g C:/Program Files/Packetbeat  (for Windows) or /usr/share/packetbeat (for Linux) and edit the file packetbeat.yml . For new installations, we recommend deleting the current content of the file and adding the following content:

Remember to replace the IP and port number with those configured in the Virtual Appliance.  You can run .\packetbeat devices to get the number of the interface that receives your DNS traffic, then add that number to the configuration file in the parameter packetbeat.interfaces.device.

Click here to download the content of the configuration file.
  1. ##Packetbeat configuration file## packetbeat.interfaces.device: 0 ##the interface you want to capture traffic packetbeat.protocols.dns: ports: [53] output.logstash: hosts: ["192.168.0.130:50445"] ##The Lumu VA IP and port processors: - drop_event: when: equals: client.ip: 192.168.0.135 ##IP of the Packetbeat machine - include_fields: fields: - network.protocol - client.ip - dns.id - dns.op_code - dns.response_code - dns.question.type - dns.question.name - dns.question.class - dns.flags.authoritative - dns.flags.recursion_available - dns.flags.truncated_response - dns.flags.checking_disabled - dns.flags.recursion_desired - dns.flags.authentic_data - dns.answers # logging.level: debug # logging.to_eventlog: true
For more details on the configuration settings, consult the Elastic official documentation.
4. You can run a test on the new configuration file:
PS C:\Program Files\Packetbeat> .\packetbeat test config

The result should be config ok.

5. Finally, run the following command in PowerShell to start the service:

PS C:\Program Files\Packetbeat> Start-Service packetbeat

Configure the Lumu Collector

Now that you have Packetbeat installed and running, you need to create and activate the collector. For this, go to the Lumu Portal and make sure you added a “DNS Packets” collector on your Virtual Appliance, as shown in the figure 6.

Add the DNS Collector in Lumu Portal Figure 6 - Add the DNS Collector in Lumu Portal

Once the collector is created on the Lumu Portal, you must activate it on the Virtual Appliance. For this, go to the Lumu VA console and run the following command:

applianceadmin@lva:~$ lumu-appliance collectors refresh

Follow the instructions and inform the parameters required.

Make sure to set the port parameter as the same as the one you configured in the file ( packetbeat.yml ).
Virtual Appliance collector update Figure 7. Virtual Appliance collector update.

Uninstall Packetbeat and Npcap

In case you want to uninstall Packetbeat or Npcap from your Windows Server, follow the next steps:

Uninstall Packetbeat

From Windows PowerShell go to the Packetbeat installation path and execute the following script:

PS C:\Program Files\Packetbeat> .\uninstall-service-packetbeat.ps1

If you get an alert about a system restriction, please add execution permission to the script by typing the following command:

PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1

Packetbeat uninstall script outuput Figure 8. Packetbeat uninstall script output.
Uninstall Npcap

From the Windows Control Panel, go to “Programs and Features”, choose Npcap from the list and select "Uninstall".

Uninstalling Npcap Figure 9 - Uninstalling Npcap.

        • Related Articles

        • Virtual Appliance Collectors

          The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate network metadata, as well as send your DNS logs through the VA instead of using the VA built-in DNS resolver. In this quick guide, we show you how ...
        • Configure VA Collectors

          Once the Virtual Appliance Collector has been added to the Lumu Portal, it is time to configure the VA Collector to send data to Lumu. If you are interested in getting started with Virtual Appliance Collector, access our documentation. Refresh the VA ...
        • Lumu Virtual Appliance

          The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution provided by Lumu Technologies to enable the collection of network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on ...
        • Configure Virtual Appliance

          Once the Virtual Appliance (VA) has been added to the Lumu Portal and imported into a hypervisor it is time to configure the Lumu VA to collect network metadata to illuminate threats, attacks, and adversaries coming from your network. If you are ...
        • Manage Virtual Appliances

          You have the option to manage Virtual Appliances (VA) directly from the Lumu Portal. The virtual appliance allows for full visibility into the compromises inside your network and is available for the main hypervisors. If you are interested in getting ...