Cisco filebeat module not listening on port as configured

artschooldropout · August 30, 2023, 2:30pm

We have an existing functional Elastic instance running with Filebeat 8.9, running on Ubuntu 22.04. We're attempting to add Cisco logs using the Cisco filebeat module. However, we're not seeing any logs coming in. We have verified connectivity between the hosts.

Our cisco.yml file is as follows:

  ios:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9002

Our filbeat.yml file is as follows:

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: false
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
output.elasticsearch:
  hosts: ["https://localhost:9200"]
  username: "[redacted]"
  password: "[redacted]"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "[redacted]"

I can see that port 9002 does not appear to be open according to netstat:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2110/master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1297/sshd: /usr/sbi
tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      686349/node
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1216/systemd-resolv
tcp6       0      0 :::25                   :::*                    LISTEN      2110/master
tcp6       0      0 :::22                   :::*                    LISTEN      1297/sshd: /usr/sbi
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      717799/java
tcp6       0      0 :::9200                 :::*                    LISTEN      717799/java
tcp6       0      0 ::1:9300                :::*                    LISTEN      717799/java
tcp6       0      0 :::27768                :::*                    LISTEN      2675/zeek
tcp6       0      0 :::27764                :::*                    LISTEN      2670/zeek
tcp6       0      0 :::27765                :::*                    LISTEN      2671/zeek
tcp6       0      0 :::27766                :::*                    LISTEN      2677/zeek
tcp6       0      0 :::27767                :::*                    LISTEN      2678/zeek
tcp6       0      0 :::27761                :::*                    LISTEN      2464/zeek
tcp6       0      0 :::27762                :::*                    LISTEN      2514/zeek
tcp6       0      0 :::27763                :::*                    LISTEN      2570/zeek

Here's my syslog | grep filebeat:

gist.github.com

https://gist.github.com/packetuser/517122e1dfd9604deaff79ca15cd590b

gistfile1.txt

Aug 30 12:36:36 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:36:36.486Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":175747072}}}},"cpu":{"system":{"ticks":727160,"time":{"ms":640}},"total":{"ticks":10709890,"time":{"ms":9620},"value":10709890},"user":{"ticks":9982730,"time":{"ms":8980}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":31},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":55920113},"version":"8.9.1"},"memstats":{"gc_next":125759528,"memory_alloc":93990456,"memory_total":635123006592,"rss":227827712},"runtime":{"goroutines":310}},"filebeat":{"events":{"active":1209,"added":21952,"done":21992},"harvester":{"open_files":19,"running":19,"started":2}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":22599,"active":0,"batches":457,"total":22549},"read":{"bytes":5045467},"write":{"bytes":42587969}},"pipeline":{"clients":38,"events":{"active":0,"filtered":2,"published":21950,"total":21952},"queue":{"acked":22599}}},"registrar":{"states":{"current":20,"update":22601},"writes":{"success":23,"total":23}},"system":{"load":{"1":1.73,"15":1.76,"5":1.86,"norm":{"1":0.0432,"15":0.044,"5":0.0465}}}},"ecs.version":"1.6.0"}}
Aug 30 12:37:06 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:37:06.487Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":147128320}}}},"cpu":{"system":{"ticks":727950,"time":{"ms":790}},"total":{"ticks":10718740,"time":{"ms":8850},"value":10718740},"user":{"ticks":9990790,"time":{"ms":8060}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":31},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":55950114},"version":"8.9.1"},"memstats":{"gc_next":98144856,"memory_alloc":68789208,"memory_total":635649822096,"rss":203124736},"runtime":{"goroutines":310}},"filebeat":{"events":{"active":815,"added":19926,"done":20320},"harvester":{"open_files":19,"running":19}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":19183,"active":0,"batches":390,"total":19183},"read":{"bytes":4282996},"write":{"bytes":36137618}},"pipeline":{"clients":38,"events":{"active":743,"published":19926,"total":19926},"queue":{"acked":19183}}},"registrar":{"states":{"current":20,"update":19183},"writes":{"success":20,"total":20}},"system":{"load":{"1":1.51,"15":1.74,"5":1.79,"norm":{"1":0.0378,"15":0.0435,"5":0.0448}}}},"ecs.version":"1.6.0"}}
Aug 30 12:37:17 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:37:17.267Z","log.logger":"input.harvester","log.origin":{"file.name":"log/harvester.go","file.line":342},"message":"File is inactive. Closing because close_inactive of 5m0s reached.","service.name":"filebeat","input_id":"9ae4765b-23f2-4be3-a4d9-3390f892eaba","source_file":"/mnt/Bro/current/pe.log","state_id":"native::5113074-64768","finished":false,"os_id":"5113074-64768","old_source":"/mnt/Bro/current/pe.log","old_finished":true,"old_os_id":"5113074-64768","harvester_id":"2773546e-18b3-422e-a972-2163dc84d968","ecs.version":"1.6.0"}
Aug 30 12:37:36 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:37:36.487Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":171511808}}}},"cpu":{"system":{"ticks":728530,"time":{"ms":580}},"total":{"ticks":10727980,"time":{"ms":9240},"value":10727980},"user":{"ticks":9999450,"time":{"ms":8660}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":30},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":55980116},"version":"8.9.1"},"memstats":{"gc_next":148547680,"memory_alloc":118174264,"memory_total":636228109800,"rss":235917312},"runtime":{"goroutines":306}},"filebeat":{"events":{"active":691,"added":21954,"done":22078},"harvester":{"closed":1,"open_files":18,"running":18}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":22405,"active":50,"batches":455,"total":22455},"read":{"bytes":5002150},"write":{"bytes":41711394}},"pipeline":{"clients":38,"events":{"active":291,"filtered":1,"published":21953,"total":21954},"queue":{"acked":22405}}},"registrar":{"states":{"current":20,"update":22406},"writes":{"success":24,"total":24}},"system":{"load":{"1":1.73,"15":1.76,"5":1.83,"norm":{"1":0.0432,"15":0.044,"5":0.0458}}}},"ecs.version":"1.6.0"}}
Aug 30 12:38:06 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:38:06.487Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":161038336}}}},"cpu":{"system":{"ticks":729090,"time":{"ms":560}},"total":{"ticks":10736740,"time":{"ms":8760},"value":10736740},"user":{"ticks":10007650,"time":{"ms":8200}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":30},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":56010118},"version":"8.9.1"},"memstats":{"gc_next":113520544,"memory_alloc":58563192,"memory_total":636760928488,"rss":223514624},"runtime":{"goroutines":306}},"filebeat":{"events":{"active":2075,"added":20267,"done":18883},"harvester":{"open_files":18,"running":18}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":19383,"active":50,"batches":395,"total":19383},"read":{"bytes":4327786},"write":{"bytes":36132486}},"pipeline":{"clients":38,"events":{"active":1175,"published":20267,"total":20267},"queue":{"acked":19383}}},"registrar":{"states":{"current":20,"update":19383},"writes":{"success":21,"total":21}},"system":{"load":{"1":1.78,"15":1.76,"5":1.83,"norm":{"1":0.0445,"15":0.044,"5":0.0458}}}},"ecs.version":"1.6.0"}}
Aug 30 12:38:36 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:38:36.486Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":160305152}}}},"cpu":{"system":{"ticks":729740,"time":{"ms":650}},"total":{"ticks":10747850,"time":{"ms":11110},"value":10747850},"user":{"ticks":10018110,"time":{"ms":10460}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":30},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":56040114},"version":"8.9.1"},"memstats":{"gc_next":142105448,"memory_alloc":96297392,"memory_total":637449444304,"rss":224002048},"runtime":{"goroutines":305}},"filebeat":{"events":{"active":790,"added":25804,"done":27089},"harvester":{"open_files":18,"running":18}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":26472,"active":0,"batches":532,"total":26422},"read":{"bytes":5909576},"write":{"bytes":49783773}},"pipeline":{"clients":38,"events":{"active":507,"published":25804,"total":25804},"queue":{"acked":26472}}},"registrar":{"states":{"current":20,"update":26472},"writes":{"success":26,"total":26}},"system":{"load":{"1":2,"15":1.78,"5":1.88,"norm":{"1":0.05,"15":0.0445,"5":0.047}}}},"ecs.version":"1.6.0"}}
Aug 30 12:39:06 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:39:06.486Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":147726336}}}},"cpu":{"system":{"ticks":730410,"time":{"ms":670}},"total":{"ticks":10756830,"time":{"ms":8980},"value":10756830},"user":{"ticks":10026420,"time":{"ms":8310}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":30},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":56070118},"version":"8.9.1"},"memstats":{"gc_next":125170552,"memory_alloc":112187784,"memory_total":638002537840,"rss":211312640},"runtime":{"goroutines":306}},"filebeat":{"events":{"active":1330,"added":20763,"done":20223},"harvester":{"open_files":18,"running":18}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":20840,"active":50,"batches":424,"total":20890},"read":{"bytes":4652834},"write":{"bytes":39442423}},"pipeline":{"clients":38,"events":{"active":430,"published":20763,"total":20763},"queue":{"acked":20840}}},"registrar":{"states":{"current":20,"update":20840},"writes":{"success":23,"total":23}},"system":{"load":{"1":2.07,"15":1.79,"5":1.91,"norm":{"1":0.0518,"15":0.0448,"5":0.0478}}}},"ecs.version":"1.6.0"}}
Aug 30 12:39:36 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:39:36.488Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":143130624}}}},"cpu":{"system":{"ticks":731000,"time":{"ms":590}},"total":{"ticks":10765650,"time":{"ms":8820},"value":10765650},"user":{"ticks":10034650,"time":{"ms":8230}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":30},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":56100116},"version":"8.9.1"},"memstats":{"gc_next":124505088,"memory_alloc":96819056,"memory_total":638539168392,"rss":206356480},"runtime":{"goroutines":306}},"filebeat":{"events":{"active":737,"added":20403,"done":20996},"harvester":{"open_files":18,"running":18}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":20246,"active":50,"batches":411,"total":20246},"read":{"bytes":4520231},"write":{"bytes":37754237}},"pipeline":{"clients":38,"events":{"active":587,"published":20403,"total":20403},"queue":{"acked":20246}}},"registrar":{"states":{"current":20,"update":20246},"writes":{"success":21,"total":21}},"system":{"load":{"1":1.94,"15":1.79,"5":1.89,"norm":{"1":0.0485,"15":0.0448,"5":0.0473}}}},"ecs.version":"1.6.0"}}
Aug 30 12:40:06 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:40:06.484Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":156073984}}}},"cpu":{"system":{"ticks":731600,"time":{"ms":600}},"total":{"ticks":10773660,"time":{"ms":8010},"value":10773660},"user":{"ticks":10042060,"time":{"ms":7410}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":30},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":56130113},"version":"8.9.1"},"memstats":{"gc_next":133026704,"memory_alloc":108850392,"memory_total":639039116664,"rss":219824128},"runtime":{"goroutines":306}},"filebeat":{"events":{"active":2407,"added":19065,"done":17395},"harvester":{"open_files":18,"running":18}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":18245,"active":50,"batches":371,"total":18245},"read":{"bytes":4073576},"write":{"bytes":33847492}},"pipeline":{"clients":38,"events":{"active":1407,"published":19065,"total":19065},"queue":{"acked":18245}}},"registrar":{"states":{"current":20,"update":18245},"writes":{"success":20,"total":20}},"system":{"load":{"1":2.26,"15":1.81,"5":1.95,"norm":{"1":0.0565,"15":0.0453,"5":0.0488}}}},"ecs.version":"1.6.0"}}
Aug 30 12:40:36 zeek1 filebeat[1043633]: {"log.level":"info","@timestamp":"2023-08-30T12:40:36.488Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":147886080}}}},"cpu":{"system":{"ticks":732210,"time":{"ms":610}},"total":{"ticks":10782570,"time":{"ms":8910},"value":10782570},"user":{"ticks":10050360,"time":{"ms":8300}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":30},"info":{"ephemeral_id":"14379ec3-8426-41d1-9744-eb7d5f2c21db","uptime":{"ms":56160113},"version":"8.9.1"},"memstats":{"gc_next":130937392,"memory_alloc":104475392,"memory_total":639594475240,"rss":210587648},"runtime":{"goroutines":306}},"filebeat":{"events":{"active":1118,"added":21009,"done":22298},"harvester":{"open_files":18,"running":18}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"acked":21498,"active":50,"batches":435,"total":21498},"read":{"bytes":4799563},"write":{"bytes":40041434}},"pipeline":{"clients":38,"events":{"active":918,"published":21009,"total":21009},"queue":{"acked":21498}}},"registrar":{"states":{"current":20,"update":21498},"writes":{"success":25,"total":25}},"system":{"load":{"1":2.22,"15":1.82,"5":1.97,"norm":{"1":0.0555,"15":0.0455,"5":0.0493}}}},"ecs.version":"1.6.0"}}

This file has been truncated. show original

Also, what's the best way to search for logs coming into this module? Should we search for agent.name: "cisco.ios" or something?

Any help would be greatly appreciated!

stephenb · August 30, 2023, 3:01pm

can you try

filebeat test config

Also your logs do not show the startup of filebeat where the UDP listener would get opened. First 100 lines or so.

Also those logs show other modules / paths are you sure you are running what you are showing above

"source_file":"/mnt/Bro/current/pe.log",

Aslo you did not show the full cisco.yml

I do not see

- module: cisco

artschooldropout · August 30, 2023, 3:56pm

Thank you stephenb.

filebeat test config

Shows:

Config OK

When I restart filebeat using

filebeat -e

I see the following:

gist.github.com

https://gist.github.com/packetuser/d27a7c57219aa54b712fef698ce74ce3

gistfile1.txt

~$ sudo filebeat -e
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.907Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.907Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.912Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":125},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.912Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"998ebe76-3f5e-48e2-9944-e1ba6df5656f"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.912Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"3799398872c0f33da4e65019390d055cdfe633bd","libbeat":"8.9.1","time":"2023-08-10T04:11:56.000Z","version":"8.9.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.912Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":40,"version":"go1.19.12"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.914Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-08-16T21:02:12Z","containerized":false,"name":"zeek1","ip":["127.0.0.1","::1","10.7.81.47","fe80::1a66:daff:feac:8008","fe80::1a66:daff:feac:8009","fe80::a236:9fff:fef0:f140","fe80::a236:9fff:fef0:f142","fe80::a236:9fff:fef0:eb26"],"kernel_version":"5.15.0-78-generic","mac":["18:66:da:ac:80:07","18:66:da:ac:80:08","18:66:da:ac:80:09","18:66:da:ac:80:0a","a0:36:9f:f0:f1:40","a0:36:9f:f0:f1:42","a0:36:9f:f0:eb:24","a0:36:9f:f0:eb:26"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.3 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":3,"codename":"jammy"},"timezone":"UTC","timezone_offset_sec":0,"id":"5eb37bd26b0e4ba792a1575c41c3a2db"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.914Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"ambient":null},"cwd":"/home/ocadu","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":1104110,"ppid":1104109,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-08-30T15:43:08.980Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-30T15:43:09.914Z","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.9.1","service.name":"filebeat","ecs.version":"1.6.0"}

This file has been truncated. show original

My full cisco.yml is:

- module: cisco
  asa:
    enabled: false
  ftd:
    enabled: false
  ios:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9002
  nexus:
    enabled: false
  meraki:
    enabled: false
  umbrella:
    enabled: false
  amp:
    enabled: false

As to your question about:

"source_file":"/mnt/Bro/current/pe.log",

We're using this ES instance for Zeek log files as well (if I understand your question).

stephenb · August 30, 2023, 4:12pm

So you have alot of modules enable I would disable the other to temporarily debug do you have more than one module opening UDP


# Here lots of modules makes it hard to debug
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.738Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: cisco (ios)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.759Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: zeek (smb_files), zeek (smtp), zeek (rfb), zeek (ssl), zeek (ocsp), zeek (ssh), zeek (radius), zeek (stats), zeek (dns), zeek (sip), zeek (tunnel), zeek (irc), zeek (connection), zeek (snmp), zeek (smb_mapping), zeek (kerberos), zeek (http), zeek (dnp3), zeek (intel), zeek (files), zeek (traceroute), zeek (modbus), zeek (weird), zeek (ftp), zeek (ntlm), zeek (pe), zeek (capture_loss), zeek (smb_cmd), zeek (dce_rpc), zeek (syslog), zeek (mysql), zeek (rdp), zeek (notice), zeek (socks), zeek (dpd), zeek (dhcp), zeek (x509)","service.name":"filebeat","ecs.version":"1.6.0"}



{"log.level":"info","@timestamp":"2023-08-30T15:43:10.805Z","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.807Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: cisco (ios)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.811Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":108},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.840Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":162},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.841Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":173},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.844Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":291},"message":"Attempting to connect to Elasticsearch version 8.9.1","service.name":"filebeat","ecs.version":"1.6.0"}

# HERE 
{"log.level":"info","@timestamp":"2023-08-30T15:43:10.847Z","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":147},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}



{"log.level":"info","@timestamp":"2023-08-30T15:43:10.847Z","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}

I also see this closing...

{"log.level":"info","@timestamp":"2023-08-30T15:46:18.667Z","log.logger":"udp","log.origin":{"file.name":"dgram/handler.go","file.line":68},"message":"Connection has been closed","service.name":"filebeat","address":"0.0.0.0:9002","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T15:46:18.667Z","log.origin":{"file.name":"input/input.go","file.line":134},"message":"input ticker stopped","service.name":"filebeat","ecs.version":"1.6.0"}

not sure if you were shutting it down...

I would isolate / turn of everything and you and also start with the following which will show every message in/out

filebeat -e -d "*"

You could also set logging to debug.

You also need to look through the logs there is info there.

artschooldropout · August 30, 2023, 5:03pm

Ok thanks again.

Yes I noticed the error as you pointed out:

"Connection has been closed"

I think I had issued ctrl-c and not known that action would shut down filebeat. I tried again and don't see that message.

I disabled all but the Cisco module, and issued

filebeat -e -d "*"

I sent a log while this was running. Here's what I'm seeing:

gist.github.com

https://gist.github.com/packetuser/422461f6d336aca764f0921cc08d131c

gistfile1.txt

{"log.level":"info","@timestamp":"2023-08-30T16:56:12.780Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.780Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":870},"message":"Beat metadata path: /var/lib/filebeat/meta.json","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-30T16:56:12.780Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.785Z","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.785Z","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition !contains: map[]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.786Z","log.logger":"docker","log.origin":{"file.name":"docker/client.go","file.line":49},"message":"Docker client will negotiate the API version on the first request.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.786Z","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":130},"message":"add_cloud_metadata: starting to fetch metadata, timeout=3s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.786Z","log.logger":"add_docker_metadata","log.origin":{"file.name":"add_docker_metadata/add_docker_metadata.go","file.line":89},"message":"add_docker_metadata: docker environment not detected: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:12.786Z","log.logger":"kubernetes","log.origin":{"file.name":"add_kubernetes_metadata/kubernetes.go","file.line":153},"message":"Could not create kubernetes client using in_cluster config: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable","service.name":"filebeat","libbeat.processor":"add_kubernetes_metadata","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-08-30T16:56:15.789Z","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":167},"message":"add_cloud_metadata: received disposition for gcp after 3.002793026s. result=[provider:gcp, error=failed requesting gcp metadata: Get \"http://169.254.169.254/computeMetadata/v1/?recursive=true&alt=json\": dial tcp 169.254.169.254:80: i/o timeout, metadata={}]","service.name":"filebeat","ecs.version":"1.6.0"}

This file has been truncated. show original

I don't see anything in there that looks suspicious, except this on line 89:

"message":"Pipeline already exists in Elasticsearch."

stephenb · August 30, 2023, 5:07pm

Yup Looks pretty normal

Do you see the UDP port open?

did you try to netcat a couple of messages?

if it is reading them you should see them show up in the logs when you use the -d "*"

when you are running netstat are you asking for udp? can you show the command?

artschooldropout · August 30, 2023, 5:17pm

Aha, I think I had been using netcat incorrectly. I tried this to see UDP:

 sudo netstat -nulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 127.0.0.53:53           0.0.0.0:*                           1216/systemd-resolv
udp6       0      0 :::9002                 :::*                                1108401/filebeat

This seems to suggest I'm listening on IPv6 not IPv4?

stephenb · August 30, 2023, 5:19pm

that I can not really help you with....
mine on mac say udp46 I suspect it is running on both unless you have some special network settings

udp46 0 0 *.9002

artschooldropout · August 30, 2023, 5:42pm

Looks like someone else had the same issue: Filebeat Cisco Module: Listening on IPV6 only?

So in the cisco.yml file, I specified the host IP instead of 0.0.0.0. That seems to have helped:

netstat -nulp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 [host IP]:9002         0.0.0.0:*                           -

I tried to netcat a message:

$ echo ‘hello’ | nc -v -u -w 0 [host IP] 9002
Connection to [host IP] 9002 port [udp/*] succeeded!

However, I see nothing in the logs.

stephenb · August 30, 2023, 5:44pm

it takes more than hello... there is a buffer size etc...

nc -u 127.0.0.1 9002
hello lsakdjfaslkdfjh lsakdjfhasldkfjh
ladksjfhasldkfjh aslkdfjhasdflkjh

in logs

{"log.level":"debug","@timestamp":"2023-08-30T10:44:21.342-0700","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":213},"message":"Publish event: {\n  \"@timestamp\": \"2023-08-30T17:44:21.342Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"8.9.0\",\n    \"truncated\": false,\n    \"pipeline\": \"filebeat-8.9.0-cisco-ios-pipeline\"\n  },\n  \"agent\": {\n    \"name\": \"hyperion\",\n    \"type\": \"filebeat\",\n    \"version\": \"8.9.0\",\n    \"ephemeral_id\": \"f2d418c9-8fce-416e-b4d1-36309fcd56f5\",\n    \"id\": \"bc6fa02a-862e-4019-80db-fd6b422889b9\"\n  },\n  \"message\": \"ladksjfhasldkfjh aslkdfjhasdflkjh \\n\",\n  \"log\": {\n    \"source\": {\n      \"address\": \"127.0.0.1:64020\"\n    },\n    \"flags\": [\n      \"dissect_parsing_error\"\n    ]\n  },\n  \"event\": {\n    \"module\": \"cisco\",\n    \"dataset\": \"cisco.ios\",\n    \"timezone\": \"-07:00\",\n    \"original\": \"ladksjfhasldkfjh aslkdfjhasdflkjh \\n\"\n  },\n  \"fileset\": {\n    \"name\": \"ios\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  },\n  \"error\": {\n    \"message\": \"GoError: could not find delimiter: `` in remaining: `ladksjfhasldkfjh aslkdfjhasdflkjh \\n`, (offset: 0)\"\n  },\n  \"tags\": [\n    \"cisco-ios\",\n    \"forwarded\",\n    \"_js_exception\"\n  ],\n  \"service\": {\n    \"type\": \"cisco\"\n  },\n  \"input\": {\n    \"type\": \"syslog\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}

artschooldropout · August 30, 2023, 6:29pm

Alas, still no.

I was poking around in the GUI, and I see there's an error message related to the Cisco module:

GoError: could not find delimiter: `` in remaining: `
`, (offset: 0)`Preformatted text`

Someone else had this issue, so I'll poke around where he was directed: Error with Cisco module for filebeat

stephenb · August 30, 2023, 6:36pm

Not sure where you got that error message... where you are seeing that.

First is the port open.

2nd when you do -d "*" do you see it in the filebeat logs

Then when you send cisco data is it getting to the filebeat hosts

Then you could see with the -d "*"

Then is the cisco data showing up in the elastic filebeat index

Then is it parsing correctly

Then is it in the dashboards

artschooldropout · August 30, 2023, 6:45pm

Yes, port is open according to netstat:

netstat -nulp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 1[host IP]:9002         0.0.0.0:*                           -

No, when I do a -d "*" I don't see anything in the logs: no messages generated by netcat, nor real Cisco logs being sent by a Cisco IOS device.

The log message I mention is in the Elastic Discover dashboard.

stephenb · August 30, 2023, 6:50pm

Untill you see them there ... nothing else matter ... nothing is being read / getting that port ... Firewall?

Try the netcat with multi-line... there is something basic going on ... Firewall?

artschooldropout · August 30, 2023, 8:38pm

After quite a bit of digging, I discovered that the logs are actually making it to the Elastic dashboard, but not visible in -d "*".

There is one remaining issue: every log entry is generating an error message, for instance: GoError: could not find delimiter: `` in remaining: Interface GigabitEthernet1/0/37, changed state to up, (offset: 0)

All of the suggestions offered so far have been incredibly helpful. So thank you again!

stephenb · August 30, 2023, 10:48pm

I think the -d "*" not working is perhaps related to the error.

And you are sure you are sending it ios logs not asa etc

Or perhaps you have customized the ios logs that could cause an issue because filbeat would be expecting the defaults.

So it turns out that there is a client (filebeat) side processing on the ios data.... along with some other data sets.

It is javascript that runs from filebeat / go my suspicion is your log format and that script are in conflict and that is where the error is coming from.

  - script:
      lang: javascript
      id: cisco_ios
      file: ${path.home}/module/cisco/ios/config/pipeline.js

So what to do .... just for grins you could try just the raw UDP input and see what the messages look like on the elastic side, you might to do some of your own parsing.

artschooldropout · August 31, 2023, 1:03pm

OK I'll check that out. And yes, I'm sure I'm sending IOS logs. I haven't customized them at all.

artschooldropout · September 5, 2023, 7:21pm

Ok so apparently I didn't RTFM. The Cisco Filebeat module is apparently only for ACL entries, not generic Syslog events from IOS devices.

stephenb · September 5, 2023, 7:26pm

So perhaps try just a generic SYSLOG integration and see what you get...
You could start with that.. .
Then you could add some custom parsing on top of that.

system · October 3, 2023, 7:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.