Filebeat Barracuda module

Hello!
I have a problem with ingest barracuda logs. But I have trouble on setting up barracuda module. It gives me this error when I enable module and run "sudo filebeat setup -e"

2022-03-15T15:32:39.986Z ERROR instance/beat.go:1015 Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key
Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key

Does any one know what is this the right configuration what I need to put in place to get them running? When I leave the default configuration it does not give me an error, but when I uncomment line then it gives me this error.

I have these firewall rules in place:siem@siem:/etc/filebeat$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From


22/tcp ALLOW IN Anywhere
9503/tcp ALLOW IN Anywhere
5601/tcp ALLOW IN Anywhere
514/tcp ALLOW IN Anywhere
514/udp ALLOW IN Anywhere
8220/tcp ALLOW IN Anywhere
8220/udp DENY IN Anywhere
9503/udp ALLOW IN Anywhere
9524/tcp ALLOW IN Anywhere
9524/udp ALLOW IN Anywhere
8220/tcp (v6) ALLOW IN Anywhere (v6)
8220/udp (v6) DENY IN Anywhere (v6)
9503/udp (v6) ALLOW IN Anywhere (v6)
9524/tcp (v6) ALLOW IN Anywhere (v6)
9524/udp (v6) ALLOW IN Anywhere (v6)

I have no idea why is this not working. Please guide me where to look because I can not find resource how to deal with this problem.

Could you please post your configuration? Maybe we will spot the problem.

Yes. There was a problem that customer did not open 9200 port as well, but still no logs there.
Here is the configuration of module that is enabled on SIEM system (maybe I need to install it on Barracuda server, but I`m not sure about that):

# Module: barracuda
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-module-barracuda.html

- module: barracuda
  waf:
    enabled: true

    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: 0.0.0.0
    # var.syslog_port: 9503

    # Set paths for the log files when file input is used.
    # var.paths:

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local

  spamfirewall:
    enabled: true

    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: 0.0.0.0
    # var.syslog_port: 9524

    # Set paths for the log files when file input is used.
    # var.paths:

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local

I believe it is the default configuration. When I uncomment lines then it gives me an error about some Key that was expected.

I have updated firewall configuration as this:

siem@siem:/etc/filebeat$ sudo ufw status numbered
[sudo] password for siem:
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 514                        ALLOW IN    Anywhere
[ 3] 9200                       ALLOW IN    Anywhere
[ 4] 5601                       ALLOW IN    Anywhere
[ 5] 9503                       ALLOW IN    Anywhere
[ 6] 9524                       ALLOW IN    Anywhere
[ 7] 8220                       ALLOW IN    Anywhere
[ 8] 2055                       ALLOW IN    Anywhere

siem@siem:/etc/filebeat$

Filebeat.yml configuration is default as well, beside the configuration for Kibana and Elasticsearch output:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "172.23.27.98:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.23.27.98:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "http"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "I4KmpGrNMhPcElDdbOBn"

I`m using Elastic version 7.17.1. and no SSL certificate. I hope that this is not the problem there as other modules work fine (for example Threatintel module).

Any suggestions? :slight_smile:

Did you have a chance to spot it? :slight_smile: I guess there is not much to see though :smiley:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.