I'm trying send CheckPoint Firewall logs to Elasticsearch 8.0.
I have machine A 192.168.1.123 running Rsyslog receiving logs on port 514 that logs to a file and machine B 192.168.1.234 running Elasticsearch and Kibana. They are both Rocky Linux 8.5. For test purposes, firewalld is down and SELinux is set to Permissive on machine B
I was able to configure
/etc/filebeat/modules.d/checkpoint.yml to read from file on machine A and send to Elasticsearch on machine B
- module: checkpoint firewall: enabled: true var.input: file var.paths: ["/rsyslog/Checkpoint.log"]
This is the relevant portion of
/etc/filebeat/filebeat.yml on machine A:
output.elasticsearch: hosts: ["machineB.mydomain.dom:9200"] protocol: "https" username: "elastic" password: "mypassword" ssl.verification_mode: none
If I check
/var/lib/filebeat/registry/filebeat/log.json on machine A I see lots of lines including the field
"source":"/rsyslog/Checkpoint.log" and if I browse Kibana on machine B I see the logs.
I would like to host the Elastic Stack all on machine B, therefore I configured Rsyslog to forward the logs from machine A to machine B on port 9001 and installed Filebeat on machine B.
tcpdump on machine B shows that the logs are being received
16:49:32.478830 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 833 16:49:32.478853 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 960 16:49:32.478966 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 960
This is the configuration of
/etc/filebeat/modules.d/checkpoint.yml on machine B:
- module: checkpoint firewall: enabled: true var.input: syslog var.syslog_host: 0.0.0.0 var.syslog_port: 9001
And this is the relevant portion of
/etc/filebeat/filebeat.yml on machine B:
output.elasticsearch: hosts: ["localhost:9200"] protocol: "https" username: "elastic" password: "mypassword" ssl.verification_mode: none
filebeat test output returns OK
With this configuration,
/var/lib/filebeat/registry/filebeat/log.json on machine B is empty, and if I browse Kibana I can see
filebeat-8.0.1-checkpoint-firewall-pipeline under "Stack Management" > "Ingest Pipelines" but no logs are received if I go to "Home" > "Analytics" > "Discover"
I also tried to increase the log verbosity of filebeat by enabling
logging.level: debug logging.selectors: [ beat, publisher, service ]
/etc/filebeat/filebeat.yml but I don't see anything useful in the files inside
The port UDP/9001 appears to be open if I list the listening ports
#ss -ulnp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process UNCONN 0 0 *:9001 *:* users:(("filebeat",pid=39331,fd=12))
I don't know where else to look