Filebeat can't receive log from pfSense

Minh_Ti_n_Tr_n · May 22, 2020, 7:39am

Hi all, I'm trying to make filebeat receive pfsense syslog.
my filebeat.yml input part:

filebeat.inputs:
- type: syslog
  protocol.udp:
    host: "0.0.0.0:9560"
  fields_under_root: true
  fields:
    input.type: pfsense

My pfsense config:

It's connected as syslog show. But I can't find any log come from pfsense.

Please if you know how to resolve it please share with me.
Thanks & Regards

willemdh · May 22, 2020, 7:20pm

Hello, Had a similar issue when I setup my pfsense. Solved by setting the real ip of the host instead of 0.0.0.0. Please try that and make sure your local fw allows udp on 9560. Grtz

Minh_Ti_n_Tr_n · May 23, 2020, 2:09pm

Hi, a staff on elastic stack slask channel tell me to change into 0.0.0.0
My previous config is the pfsense IP

willemdh · May 23, 2020, 4:25pm

Is pfsense running on the host running filebeat?

If not, you could try set the ip of the host..

Minh_Ti_n_Tr_n · May 24, 2020, 11:04am

they are not on the same server
After changed into pfsense IP, I got the error on syslog
2020-05-24T18:02:29.737+0700#011ERROR#011[syslog]#011syslog/input.go:158#011Error starting the servererrorlisten udp 192.168.1.23:9560: bind: cannot assign requested address

Minh_Ti_n_Tr_n · May 24, 2020, 11:08am

When I use 0.0.0.0:9560, I can see port 9560 listening. But when changed to 192.168.1.23:9560, I dont see port 9560 on port running anymore

Minh_Ti_n_Tr_n · May 24, 2020, 11:43am

I use a visual syslog server on Windows and receive log but my ES server does not.

system · June 21, 2020, 11:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.