Helllo!
I am currently troubleshooting sending FTD syslog output to a filebeat listener. I'm able to sniff traffic and see packets arriving, but filebeat does not seem to do ANYTHING with the event. I've experimented with running filebeat -e -d "*" -c filebeat.yml while sending a sample event via netcat:
cat firepower-management.log-expected.json |nc -w 1 -u -4 <servername> 9003
Module config:
ftd:
enabled: true
var.input: syslog
var.syslog_host: 0.0.0.0
var.syslog_port: 9003
var.log_level: 7
var.tags: [cisco-ftd]
Nothing happens. I see no output from filebeat debug console when either a FMC generated or artificial packet is sent to the listening port, and subsequently nothing is indexed.
Any guidance / advice / help in troubleshooting appreicated. This particular filebeat instances is configured to capture other log files and has been indexing those appropriately; I've disabled all inputs but the FTD input at present just to focus troubleshooting.