Filebeat cisco/asa module not working

Rafal_Radziejewski · November 30, 2020, 3:08pm

Elasticsearch 7.9.2
Filebeat 7.10

Running command:
sudo filebeat setup -e --dashboards --pipelines --template
Produces:

2020-11-30T16:04:16.488+0100	ERROR	[load]	cfgfile/list.go:99	Error creating runner from config: fileset cisco/asa is configured but doesn't exist

2020-11-30T16:04:16.488+0100 ERROR cfgfile/reload.go:258 Error loading configuration files: 1 error: Error creating runner from config: fileset cisco/asa is configured but doesn't exist

My config is a valid yaml which basically looks like:

- module: cisco
  asa:
    enabled: true
    #var.paths: ["/var/log/cisco-asa.log"]
    #var.input: "file"
    # Set which input to use between syslog (default) or file.
    #var.input: syslog

    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: 10.55.250.123
    #var.paths: ["/var/log/cisco-asa.log"]

    # The UDP port to listen for syslog traffic. Defaults to 9001.
    #var.syslog_port: 9001

    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
    #var.log_level: 7

It contains the rest of the modules which basically have enabled: false section only any ideas ? I am totally lost

Rafal_Radziejewski · November 30, 2020, 3:42pm

filebeat test config -e

Result:
Config OK

Rafal_Radziejewski · December 1, 2020, 9:09am

So i disabled this module and having this error:

    2020-12-01T03:40:16.592-0500	ERROR	instance/beat.go:956	Exiting: 1 error: Error checking if xpack is available: 500 Internal Server Error: {"error":{"root_cause":[{"type":"security_exception","reason":"Unexpected exception indices:admin/get"}],"type":"security_exception","reason":"Unexpected exception indices:admin/get"},"status":500}
Exiting: 1 error: Error checking if xpack is available: 500 Internal Server Error: {"error":{"root_cause":[{"type":"security_exception","reason":"Unexpected exception indices:admin/get"}],"type":"security_exception","reason":"Unexpected exception indices:admin/get"},"status":500}

Dain.Perkins · December 1, 2020, 2:18pm

@Rafal_Radziejewski
looking at your first post - the module config looks like you have enabled the module, but not configured an input (i.e. syslog or file...)

you'll need to configure either a syslog receiver:
var.input: syslog
var.syslog_host: <filebeat ip, localhost, or 0.0.0.0 here>
var.syslog.port: <port you want filebeat to listen on>

or file input:
var.input: "file"
var.paths: ["<path to log files>"]

Rafal_Radziejewski · December 1, 2020, 3:07pm

Thanks for answer but even disabling the module i am unable to run filebeat due to xpack error i mentioned in last post

Rafal_Radziejewski · December 3, 2020, 7:48am

Generally filebeat working with system and elasticsearch modules (with default config).
/etc/filebeat/modules.d/cisco.yml

- module: cisco
  asa:
    enabled: true

    var.input: syslog
    var.syslog_host: %My IP%
    var.syslog.port: 514

Unfortunatelly whenever I enable cisco module I receive following error:

2020-12-03T08:43:23.157+0100	INFO	instance/beat.go:648	Beat ID: b2915dfd-0bd2-4229-92d0-5f81966f2169
2020-12-03T08:43:23.161+0100	INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
2020-12-03T08:43:23.161+0100	INFO	[beat]	instance/beat.go:976	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "b2915dfd-0bd2-4229-92d0-5f81966f2169"}}}
2020-12-03T08:43:23.162+0100	INFO	[beat]	instance/beat.go:985	Build info	{"system_info": {"build": {"commit": "ad823eca4cc74439d1a44351c596c12ab51054f5", "libbeat": "7.9.1", "time": "2020-09-01T19:01:25.000Z", "version": "7.9.1"}}}
2020-12-03T08:43:23.162+0100	INFO	[beat]	instance/beat.go:988	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.7"}}}
2020-12-03T08:43:23.163+0100	INFO	[beat]	instance/beat.go:992	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-11-27T13:15:20+01:00","containerized":false,"name":"elastic-master-01","ip":["127.0.0.1/8","::1/128","10.55.250.123/24","fe80::8aa0:17a2:b575:295e/64"],"kernel_version":"3.10.0-1160.6.1.el7.x86_64","mac":["00:50:56:a1:af:e1"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"CET","timezone_offset_sec":3600,"id":"f5f3d07f4d294a0ead11b5d1351be953"}}}
2020-12-03T08:43:23.164+0100	INFO	[beat]	instance/beat.go:1021	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 2130, "ppid": 5958, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-12-03T08:43:22.870+0100"}}}
2020-12-03T08:43:23.165+0100	INFO	instance/beat.go:299	Setup Beat: filebeat; Version: 7.9.1
2020-12-03T08:43:23.165+0100	INFO	[add_cloud_metadata]	add_cloud_metadata/add_cloud_metadata.go:89	add_cloud_metadata: hosting provider type not detected.
2020-12-03T08:43:23.167+0100	INFO	eslegclient/connection.go:99	elasticsearch url: https://10.55.250.123:9305
2020-12-03T08:43:23.167+0100	INFO	[publisher]	pipeline/module.go:113	Beat name: elastic-master-01
2020-12-03T08:43:23.169+0100	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2020-12-03T08:43:23.169+0100	INFO	instance/beat.go:450	filebeat start running.
2020-12-03T08:43:23.172+0100	INFO	memlog/store.go:119	Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=8120546
2020-12-03T08:43:24.312+0100	INFO	memlog/store.go:124	Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=8143608
2020-12-03T08:43:24.313+0100	INFO	[registrar]	registrar/registrar.go:109	States Loaded from registrar: 34
2020-12-03T08:43:24.314+0100	INFO	[crawler]	beater/crawler.go:71	Loading Inputs: 2
2020-12-03T08:43:24.316+0100	INFO	beater/crawler.go:148	Stopping Crawler
2020-12-03T08:43:24.317+0100	INFO	beater/crawler.go:158	Stopping 0 inputs
2020-12-03T08:43:24.317+0100	INFO	beater/crawler.go:178	Crawler stopped
2020-12-03T08:43:24.317+0100	INFO	[registrar]	registrar/registrar.go:132	Stopping Registrar
2020-12-03T08:43:24.317+0100	INFO	[registrar]	registrar/registrar.go:166	Ending Registrar
2020-12-03T08:43:24.325+0100	INFO	[registrar]	registrar/registrar.go:137	Registrar stopped
2020-12-03T08:43:24.329+0100	INFO	[monitoring]	log/log.go:153	Total non-zero metrics	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":130,"time":{"ms":132}},"total":{"ticks":1380,"time":{"ms":1388},"value":1380},"user":{"ticks":1250,"time":{"ms":1256}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":8},"info":{"ephemeral_id":"e916b486-0352-48b2-817a-f37b81cab058","uptime":{"ms":1213}},"memstats":{"gc_next":7525344,"memory_alloc":5754104,"memory_total":66574304,"rss":35659776},"runtime":{"goroutines":11}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0.08,"5":0.07,"norm":{"1":0,"15":0.04,"5":0.035}}}}}}
2020-12-03T08:43:24.330+0100	INFO	[monitoring]	log/log.go:154	Uptime: 1.217955777s
2020-12-03T08:43:24.330+0100	INFO	[monitoring]	log/log.go:131	Stopping metrics logging.
2020-12-03T08:43:24.330+0100	INFO	instance/beat.go:456	filebeat stopped.
2020-12-03T08:43:24.330+0100	ERROR	instance/beat.go:951	Exiting: Failed to start crawler: creating module reloader failed: fileset cisco/asa is configured but doesn't exist
Exiting: Failed to start crawler: creating module reloader failed: fileset cisco/asa is configured but doesn't exist

When I just switch module cisco/asa to enabled:false, everything starts up correctly.
All modules files are owned by root with 755 permissions.
Is there something wrong with this module at 7.9.1 filebeat version?

Rafal_Radziejewski · December 3, 2020, 8:13am

version update:
Elasticsearch-oss 7.9.1 + OpenDistro & Wazuh plugins.
Filebeat-oss 7.9.1

Stillt he same behaviour as in above post, please help

Dain.Perkins · December 4, 2020, 8:10pm

@Rafal_Radziejewski

The Cisco modules are not included in the OSS version of Filebeat, you will need to run the Basic licensed version: https://www.elastic.co/downloads/beats/filebeat

system · January 1, 2021, 10:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat 7.3.2 Cisco Module Parsing issue for ASA Syslog rfc3164 Beats filebeat	3	1147	November 21, 2019
Configuration for Cisco ASA logs Beats beats-module , filebeat	4	469	April 2, 2021
Message "failed to find message" event.dataset "cisco.asa" Beats filebeat	12	3043	June 26, 2020
Filebeat cisco module not parsing ASA logs Beats filebeat	1	378	November 6, 2019
No data from filebeat cisco module Beats filebeat	9	2329	August 5, 2020

Filebeat cisco/asa module not working

Related Topics