Filebeat checkpoint module not getting data from syslog

I'm trying send CheckPoint Firewall logs to Elasticsearch 8.0.
I have machine A 192.168.1.123 running Rsyslog receiving logs on port 514 that logs to a file and machine B 192.168.1.234 running Elasticsearch and Kibana. They are both Rocky Linux 8.5. For test purposes, firewalld is down and SELinux is set to Permissive on machine B

I was able to configure /etc/filebeat/modules.d/checkpoint.yml to read from file on machine A and send to Elasticsearch on machine B

- module: checkpoint
  firewall:
    enabled: true
    var.input: file
    var.paths: ["/rsyslog/Checkpoint.log"]

This is the relevant portion of /etc/filebeat/filebeat.yml on machine A:

    output.elasticsearch:
      hosts: ["machineB.mydomain.dom:9200"]
      protocol: "https"
      username: "elastic"
      password: "mypassword"
      ssl.verification_mode: none

If I check /var/lib/filebeat/registry/filebeat/log.json on machine A I see lots of lines including the field "source":"/rsyslog/Checkpoint.log" and if I browse Kibana on machine B I see the logs.

THE PROBLEM:

I would like to host the Elastic Stack all on machine B, therefore I configured Rsyslog to forward the logs from machine A to machine B on port 9001 and installed Filebeat on machine B.

tcpdump on machine B shows that the logs are being received

    16:49:32.478830 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 833
    16:49:32.478853 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 960
    16:49:32.478966 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 960

This is the configuration of /etc/filebeat/modules.d/checkpoint.yml on machine B:

    - module: checkpoint
      firewall:
        enabled: true
        var.input: syslog
        var.syslog_host: 0.0.0.0
        var.syslog_port: 9001

And this is the relevant portion of /etc/filebeat/filebeat.yml on machine B:

    output.elasticsearch:
      hosts: ["localhost:9200"]
      protocol: "https"
      username: "elastic"
      password: "mypassword"
      ssl.verification_mode: none

filebeat test output returns OK

With this configuration, /var/lib/filebeat/registry/filebeat/log.json on machine B is empty, and if I browse Kibana I can see filebeat-8.0.1-checkpoint-firewall-pipeline under "Stack Management" > "Ingest Pipelines" but no logs are received if I go to "Home" > "Analytics" > "Discover"

I also tried to increase the log verbosity of filebeat by enabling

    logging.level: debug
    logging.selectors: [ beat, publisher, service ]

in /etc/filebeat/filebeat.yml but I don't see anything useful in the files inside /var/log/filebeat/

The port UDP/9001 appears to be open if I list the listening ports

#ss -ulnp
State                                              Recv-Q                                              Send-Q                                                                                           Local Address:Port                                                                                           Peer Address:Port                                             Process
UNCONN                                             0                                                   0                                                                                                            *:9001                                                                                                      *:*                                                 users:(("filebeat",pid=39331,fd=12))

I don't know where else to look

Apparently

var.syslog_host: 0.0.0.0

does not work.

I had luck with either

var.syslog.host: 192.168.1.234

or

var.syslog_host: machineB.mydomain.dom

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.