CEF Logging not indexing field "event.original:"

janis.cimins · March 15, 2022, 3:38pm

I have customer who ingests logs with CEF filebeat module. There is this field:"event.original:" and it does not index so it is not searchable.

They ingest barracuda logs in this way. But I have trouble on setting up barracuda module. It gives me this error when I enable module and run "sudo filebeat setup -e"

2022-03-15T15:32:39.986Z ERROR instance/beat.go:1015 Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key
Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key

janis.cimins · March 15, 2022, 3:45pm

It basically points to commented out row in barracuda.yml configration file
spamfirewall:
enabled: true

# Set which input to use between udp (default), tcp or file.>>> This row
 var.input: udp
 var.syslog_host: 0.0.0.0
 var.syslog_port: 9524

janis.cimins · March 15, 2022, 3:58pm

Seems that I get tthis error just as I uncomment fields in barracuda.yml file.
Should they stay commented out? Asking for a friend

janis.cimins · March 16, 2022, 12:00pm

Maybe I`m doing something wrong with this configuration? I have set up CEF module and it is good. As well as threatintel and works as well, but for some reason this is not working

janis.cimins · March 16, 2022, 1:57pm

UPDATE:
I have figured out that when uncommenting these lines it gives error just one line before last uncomment:
Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key

Maybe I`m doing something wrong with configuring this module?

system · April 13, 2022, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.