Hello!
I have a problem with ingest barracuda logs. But I have trouble on setting up barracuda module. It gives me this error when I enable module and run "sudo filebeat setup -e"
2022-03-15T15:32:39.986Z ERROR instance/beat.go:1015 Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key
Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key
Does any one know what is this the right configuration what I need to put in place to get them running? When I leave the default configuration it does not give me an error, but when I uncomment line then it gives me this error.
I have these firewall rules in place:siem@siem:/etc/filebeat$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
22/tcp ALLOW IN Anywhere
9503/tcp ALLOW IN Anywhere
5601/tcp ALLOW IN Anywhere
514/tcp ALLOW IN Anywhere
514/udp ALLOW IN Anywhere
8220/tcp ALLOW IN Anywhere
8220/udp DENY IN Anywhere
9503/udp ALLOW IN Anywhere
9524/tcp ALLOW IN Anywhere
9524/udp ALLOW IN Anywhere
8220/tcp (v6) ALLOW IN Anywhere (v6)
8220/udp (v6) DENY IN Anywhere (v6)
9503/udp (v6) ALLOW IN Anywhere (v6)
9524/tcp (v6) ALLOW IN Anywhere (v6)
9524/udp (v6) ALLOW IN Anywhere (v6)
I have no idea why is this not working. Please guide me where to look because I can not find resource how to deal with this problem.
Yes. There was a problem that customer did not open 9200 port as well, but still no logs there.
Here is the configuration of module that is enabled on SIEM system (maybe I need to install it on Barracuda server, but I`m not sure about that):
# Module: barracuda
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-module-barracuda.html
- module: barracuda
waf:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: 0.0.0.0
# var.syslog_port: 9503
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
spamfirewall:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: 0.0.0.0
# var.syslog_port: 9524
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
I believe it is the default configuration. When I uncomment lines then it gives me an error about some Key that was expected.
I have updated firewall configuration as this:
siem@siem:/etc/filebeat$ sudo ufw status numbered
[sudo] password for siem:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 514 ALLOW IN Anywhere
[ 3] 9200 ALLOW IN Anywhere
[ 4] 5601 ALLOW IN Anywhere
[ 5] 9503 ALLOW IN Anywhere
[ 6] 9524 ALLOW IN Anywhere
[ 7] 8220 ALLOW IN Anywhere
[ 8] 2055 ALLOW IN Anywhere
siem@siem:/etc/filebeat$
Filebeat.yml configuration is default as well, beside the configuration for Kibana and Elasticsearch output:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "172.23.27.98:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
# =============================== Elastic Cloud ================================
# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["172.23.27.98:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "http"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "I4KmpGrNMhPcElDdbOBn"
I`m using Elastic version 7.17.1. and no SSL certificate. I hope that this is not the problem there as other modules work fine (for example Threatintel module).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
