I tried adding the Cisco Logs integration to my existing one-node cluster but I can't see any Cisco logs and am unsure what I am doing wrong.
It already had filebeat configured for other logs and working - can you also collect cisco logs with same filebeat instance?
This is the filebeat config in place
/etc/filebeat/filebeat.yml
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: true
paths:
- /var/log/*.log
- type: syslog
enabled: true
format: rfc5424
protocol.tcp:
host: "10.6.11.104:9000"
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "http://10.6.11.104:5601"
output.elasticsearch:
hosts: ["https://10.6.11.104:9200"]
protocol: "https"
username: "elastic"
password: "I2..........Tp"
ssl:
enabled: true
ca_trusted_fingerprint: "5ee828498ff50bf6dfa862f4307c7b305f1d9d08d8f98be7375add41805646a2"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
/etc/filebeat/modules.d/cisco.yml
- module: cisco
ios:
enabled: true
var.input: syslog
var.syslog_host: localhost
var.syslog_port: 9002
var.syslog_protocol: udp
nexus:
enabled: true
var.input: udp
var.syslog_host: localhost
var.syslog_port: 9506
in the output of "lsof -i -n -P | grep filebeat" I can see the cisco ports 9002 and 9506
filebeat 1337318 root 9u IPv4 7409836 0t0 TCP 10.6.11.104:9000 (LISTEN)
filebeat 1337318 root 30u IPv4 7410881 0t0 TCP 10.6.11.104:9000->10.6.190.21:28435 (ESTABLISHED)
filebeat 1337318 root 31u IPv4 7410886 0t0 TCP 10.6.11.104:9000->10.7.190.13:12013 (ESTABLISHED)
filebeat 1337318 root 32u IPv4 7408889 0t0 TCP 10.6.11.104:40770->10.6.11.104:9200 (ESTABLISHED)
filebeat 1337318 root 33u IPv4 7416957 0t0 TCP 10.6.11.104:9000->10.7.190.21:34192 (ESTABLISHED)
filebeat 1337318 root 34u IPv4 7409864 0t0 TCP 10.6.11.104:9000->10.6.190.27:27883 (ESTABLISHED)
filebeat 1337318 root 37u IPv4 7410928 0t0 UDP 127.0.0.1:9002
filebeat 1337318 root 38u IPv4 7408991 0t0 UDP 127.0.0.1:9506
filebeat 1337318 root 45u IPv4 7417092 0t0 TCP 10.6.11.104:9000->10.6.190.22:22326 (ESTABLISHED)
filebeat 1337318 root 46u IPv4 7408426 0t0 TCP 10.6.11.104:9000->10.6.190.72:14254 (ESTABLISHED)
filebeat 1337318 root 47u IPv4 7422425 0t0 TCP 10.6.11.104:9000->10.6.190.28:15345 (ESTABLISHED)
filebeat 1337318 root 48u IPv4 7417250 0t0 TCP 10.6.11.104:9000->10.6.190.71:41478 (ESTABLISHED)
filebeat 1337318 root 49u IPv4 7408482 0t0 TCP 10.6.11.104:9000->10.6.190.13:41632 (ESTABLISHED)
filebeat 1337318 root 50u IPv4 7425716 0t0 TCP 10.6.11.104:9000->10.7.190.22:48193 (ESTABLISHED)
filebeat 1337318 root 51u IPv4 7429402 0t0 TCP 10.6.11.104:9000->10.6.190.63:29062 (ESTABLISHED)
I can't see any entries for the new logs - they should originate from 10.250.1.190/7:
journalctl -u filebeat.service -e -n 10000 -utc -g 10.250.1.197
journalctl -u filebeat.service -e -n 10000 -utc -g 10.250.1.190
but I can see the packets being received using: tcpdump -n udp port 9002 and these ports are allowed on the firewall...
I also did the usual:
filebeat modules enable cisco
filebeat setup and restart the service etc.