Cisco iOS integration - No data has been received from this module yet

Elastic Stack Beats
1

I tried adding the Cisco Logs integration to my existing one-node cluster but I can't see any Cisco logs and am unsure what I am doing wrong.

It already had filebeat configured for other logs and working - can you also collect cisco logs with same filebeat instance?

This is the filebeat config in place

/etc/filebeat/filebeat.yml

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: true
  paths:
    - /var/log/*.log
- type: syslog
  enabled: true
  format: rfc5424
  protocol.tcp:
    host: "10.6.11.104:9000"
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  host: "http://10.6.11.104:5601"
output.elasticsearch:
  hosts: ["https://10.6.11.104:9200"]
  protocol: "https"
  username: "elastic"
  password: "I2..........Tp"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "5ee828498ff50bf6dfa862f4307c7b305f1d9d08d8f98be7375add41805646a2"
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded

/etc/filebeat/modules.d/cisco.yml

- module: cisco
  ios:
    enabled: true
    var.input: syslog
    var.syslog_host: localhost
    var.syslog_port: 9002
    var.syslog_protocol: udp
  nexus:
    enabled: true
    var.input: udp
    var.syslog_host: localhost
    var.syslog_port: 9506

in the output of "lsof -i -n -P | grep filebeat" I can see the cisco ports 9002 and 9506

filebeat  1337318              root    9u  IPv4 7409836      0t0  TCP 10.6.11.104:9000 (LISTEN)
filebeat  1337318              root   30u  IPv4 7410881      0t0  TCP 10.6.11.104:9000->10.6.190.21:28435 (ESTABLISHED)
filebeat  1337318              root   31u  IPv4 7410886      0t0  TCP 10.6.11.104:9000->10.7.190.13:12013 (ESTABLISHED)
filebeat  1337318              root   32u  IPv4 7408889      0t0  TCP 10.6.11.104:40770->10.6.11.104:9200 (ESTABLISHED)
filebeat  1337318              root   33u  IPv4 7416957      0t0  TCP 10.6.11.104:9000->10.7.190.21:34192 (ESTABLISHED)
filebeat  1337318              root   34u  IPv4 7409864      0t0  TCP 10.6.11.104:9000->10.6.190.27:27883 (ESTABLISHED)
filebeat  1337318              root   37u  IPv4 7410928      0t0  UDP 127.0.0.1:9002
filebeat  1337318              root   38u  IPv4 7408991      0t0  UDP 127.0.0.1:9506
filebeat  1337318              root   45u  IPv4 7417092      0t0  TCP 10.6.11.104:9000->10.6.190.22:22326 (ESTABLISHED)
filebeat  1337318              root   46u  IPv4 7408426      0t0  TCP 10.6.11.104:9000->10.6.190.72:14254 (ESTABLISHED)
filebeat  1337318              root   47u  IPv4 7422425      0t0  TCP 10.6.11.104:9000->10.6.190.28:15345 (ESTABLISHED)
filebeat  1337318              root   48u  IPv4 7417250      0t0  TCP 10.6.11.104:9000->10.6.190.71:41478 (ESTABLISHED)
filebeat  1337318              root   49u  IPv4 7408482      0t0  TCP 10.6.11.104:9000->10.6.190.13:41632 (ESTABLISHED)
filebeat  1337318              root   50u  IPv4 7425716      0t0  TCP 10.6.11.104:9000->10.7.190.22:48193 (ESTABLISHED)
filebeat  1337318              root   51u  IPv4 7429402      0t0  TCP 10.6.11.104:9000->10.6.190.63:29062 (ESTABLISHED)

I can't see any entries for the new logs - they should originate from 10.250.1.190/7:

journalctl -u filebeat.service -e -n 10000 -utc -g 10.250.1.197
journalctl -u filebeat.service -e -n 10000 -utc -g 10.250.1.190

but I can see the packets being received using: tcpdump -n udp port 9002 and these ports are allowed on the firewall...

I also did the usual:
filebeat modules enable cisco
filebeat setup and restart the service etc.

2

One of my colleagues changed /etc/filebeat/modules.d/cisco.yml to this and logs started being ingested now on 9002 for ios and 9506 for nexus

- module: cisco
  ios:
    enabled: true
    var.syslog_host: 0.0.0.0
  nexus:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9506
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.