I'm trying send CheckPoint Firewall logs to Elasticsearch 8.0.
I have machine A 192.168.1.123 running Rsyslog receiving logs on port 514 that logs to a file and machine B 192.168.1.234 running Elasticsearch and Kibana. They are both Rocky Linux 8.5. For test purposes, firewalld is down and SELinux is set to Permissive on machine B
I was able to configure /etc/filebeat/modules.d/checkpoint.yml to read from file on machine A and send to Elasticsearch on machine B
- module: checkpoint
firewall:
enabled: true
var.input: file
var.paths: ["/rsyslog/Checkpoint.log"]
This is the relevant portion of /etc/filebeat/filebeat.yml on machine A:
output.elasticsearch:
hosts: ["machineB.mydomain.dom:9200"]
protocol: "https"
username: "elastic"
password: "mypassword"
ssl.verification_mode: none
If I check /var/lib/filebeat/registry/filebeat/log.json on machine A I see lots of lines including the field "source":"/rsyslog/Checkpoint.log" and if I browse Kibana on machine B I see the logs.
THE PROBLEM:
I would like to host the Elastic Stack all on machine B, therefore I configured Rsyslog to forward the logs from machine A to machine B on port 9001 and installed Filebeat on machine B.
tcpdump on machine B shows that the logs are being received
16:49:32.478830 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 833
16:49:32.478853 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 960
16:49:32.478966 IP 192.168.1.123.46757 > 192.168.1.234.9001: UDP, length 960
This is the configuration of /etc/filebeat/modules.d/checkpoint.yml on machine B:
- module: checkpoint
firewall:
enabled: true
var.input: syslog
var.syslog_host: 0.0.0.0
var.syslog_port: 9001
And this is the relevant portion of /etc/filebeat/filebeat.yml on machine B:
output.elasticsearch:
hosts: ["localhost:9200"]
protocol: "https"
username: "elastic"
password: "mypassword"
ssl.verification_mode: none
filebeat test output returns OK
With this configuration, /var/lib/filebeat/registry/filebeat/log.json on machine B is empty, and if I browse Kibana I can see filebeat-8.0.1-checkpoint-firewall-pipeline under "Stack Management" > "Ingest Pipelines" but no logs are received if I go to "Home" > "Analytics" > "Discover"
I also tried to increase the log verbosity of filebeat by enabling
logging.level: debug
logging.selectors: [ beat, publisher, service ]
in /etc/filebeat/filebeat.yml but I don't see anything useful in the files inside /var/log/filebeat/
The port UDP/9001 appears to be open if I list the listening ports
#ss -ulnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 *:9001 *:* users:(("filebeat",pid=39331,fd=12))
I don't know where else to look