Cisco Filebeat Issues

codersoul · July 6, 2021, 1:45am

Hi,

I'm working with Filebeat and Cisco Module in a Lab. I am ingesting data from Cisco AMP, everything work as expected , but I getting this error in Filebeat logs.

Jul 02 09:26:48 cstxsvngs01 filebeat[25410]: 2021-07-02T09:26:48.396-0500 ERROR [input.httpjson-cursor.retryablehttp] go-retryablehttp@v0.6.6/client.go:553 request failed%!(EXTRA string=error, *url.Error=Get "": unsupported protocol scheme "", string=method, string=GET, string=url, *url.URL=) {"input_source": "https://api.amp.cisco.com/v1/events", "input_url": "https://api.amp.cisco.com/v1/events"}

Jul 02 09:26:48 cstxsvngs01 filebeat[25410]: 2021-07-02T09:26:48.396-0500 ERROR [input.httpjson-cursor] v2/request.go:186 error processing response: failed to execute http client.Do: Get "": Get "": unsupported protocol scheme "" {"input_source": "https://api.amp.cisco.com/v1/events", "input_url": "https://api.amp.cisco.com/v1/events"}

Anyone have more information about this error ?

legoguy1000 · July 6, 2021, 3:29am

Weird. What version of filebeat? That error arises when you only put the FQDN in the url field without the scheme, http:// or https://. Based on what I can see you have a good url. But to be safe, can you post your config?

codersoul · July 6, 2021, 6:03pm

Hi, @legoguy1000 . Thanks for your reply.

I'm using the last stable versión:

filebeat version 7.13.2 (amd64), libbeat 7.13.2 [686ba416a74193f2e69dcfa2eb142f4364a79307 built 2021-06-10 21:04:13 +0000 UTC]

Cisco module configuration cisco.yml

- module: cisco
  asa:
    enabled: false
  ftd:
    enabled: false
  ios:
    enabled: false
  nexus:
    enabled: false
  meraki:
    enabled: false
  umbrella:
    enabled: false
  amp:
    enabled: true

    # Set which input to use between httpjson (default) or file.
    var.input: httpjson

    # The API URL
    var.url: https://api.amp.cisco.com/v1/events
    
    # The client ID used as a username for the API requests.
    var.client_id: "xxx"
    
    # The API key related to the client ID.
    var.api_key: "xxxx"
    
    # How far to look back the first time the module is started. Expects an amount of hours.
    var.first_interval: 26280h
    
    # Overriding the default request timeout, optional.
    var.request_timeout: 300s
    var.interval: 5m

legoguy1000 · July 6, 2021, 11:44pm

Ya everything looks fine. This is definitely weird. Do any of the other modules that use the httpjson input work?

codersoul · July 7, 2021, 1:36am

I'm not working with other module that use httpjson input =(. Thanks for your reply

system · August 4, 2021, 3:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.