Filebeat cisco/asa module not working

Rafal_Radziejewski · November 30, 2020, 3:08pm

Elasticsearch 7.9.2
Filebeat 7.10

Running command:
sudo filebeat setup -e --dashboards --pipelines --template
Produces:

2020-11-30T16:04:16.488+0100	ERROR	[load]	cfgfile/list.go:99	Error creating runner from config: fileset cisco/asa is configured but doesn't exist

2020-11-30T16:04:16.488+0100 ERROR cfgfile/reload.go:258 Error loading configuration files: 1 error: Error creating runner from config: fileset cisco/asa is configured but doesn't exist

My config is a valid yaml which basically looks like:

- module: cisco
  asa:
    enabled: true
    #var.paths: ["/var/log/cisco-asa.log"]
    #var.input: "file"
    # Set which input to use between syslog (default) or file.
    #var.input: syslog

    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: 10.55.250.123
    #var.paths: ["/var/log/cisco-asa.log"]

    # The UDP port to listen for syslog traffic. Defaults to 9001.
    #var.syslog_port: 9001

    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
    #var.log_level: 7

It contains the rest of the modules which basically have enabled: false section only any ideas ? I am totally lost

Rafal_Radziejewski · November 30, 2020, 3:42pm

filebeat test config -e

Result:
Config OK

Rafal_Radziejewski · December 1, 2020, 9:09am

So i disabled this module and having this error:

    2020-12-01T03:40:16.592-0500	ERROR	instance/beat.go:956	Exiting: 1 error: Error checking if xpack is available: 500 Internal Server Error: {"error":{"root_cause":[{"type":"security_exception","reason":"Unexpected exception indices:admin/get"}],"type":"security_exception","reason":"Unexpected exception indices:admin/get"},"status":500}
Exiting: 1 error: Error checking if xpack is available: 500 Internal Server Error: {"error":{"root_cause":[{"type":"security_exception","reason":"Unexpected exception indices:admin/get"}],"type":"security_exception","reason":"Unexpected exception indices:admin/get"},"status":500}

Dain.Perkins · December 1, 2020, 2:18pm

@Rafal_Radziejewski
looking at your first post - the module config looks like you have enabled the module, but not configured an input (i.e. syslog or file...)

you'll need to configure either a syslog receiver:
var.input: syslog
var.syslog_host: <filebeat ip, localhost, or 0.0.0.0 here>
var.syslog.port: <port you want filebeat to listen on>

or file input:
var.input: "file"
var.paths: ["<path to log files>"]

Rafal_Radziejewski · December 1, 2020, 3:07pm

Thanks for answer but even disabling the module i am unable to run filebeat due to xpack error i mentioned in last post

Rafal_Radziejewski · December 3, 2020, 7:48am

Generally filebeat working with system and elasticsearch modules (with default config).
/etc/filebeat/modules.d/cisco.yml

- module: cisco
  asa:
    enabled: true

    var.input: syslog
    var.syslog_host: %My IP%
    var.syslog.port: 514

Unfortunatelly whenever I enable cisco module I receive following error:

2020-12-03T08:43:23.157+0100	INFO	instance/beat.go:648	Beat ID: b2915dfd-0bd2-4229-92d0-5f81966f2169
2020-12-03T08:43:23.161+0100	INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
2020-12-03T08:43:23.161+0100	INFO	[beat]	instance/beat.go:976	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "b2915dfd-0bd2-4229-92d0-5f81966f2169"}}}
2020-12-03T08:43:23.162+0100	INFO	[beat]	instance/beat.go:985	Build info	{"system_info": {"build": {"commit": "ad823eca4cc74439d1a44351c596c12ab51054f5", "libbeat": "7.9.1", "time": "2020-09-01T19:01:25.000Z", "version": "7.9.1"}}}
2020-12-03T08:43:23.162+0100	INFO	[beat]	instance/beat.go:988	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.7"}}}
2020-12-03T08:43:23.163+0100	INFO	[beat]	instance/beat.go:992	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-11-27T13:15:20+01:00","containerized":false,"name":"elastic-master-01","ip":["127.0.0.1/8","::1/128","10.55.250.123/24","fe80::8aa0:17a2:b575:295e/64"],"kernel_version":"3.10.0-1160.6.1.el7.x86_64","mac":["00:50:56:a1:af:e1"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"CET","timezone_offset_sec":3600,"id":"f5f3d07f4d294a0ead11b5d1351be953"}}}
2020-12-03T08:43:23.164+0100	INFO	[beat]	instance/beat.go:1021	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 2130, "ppid": 5958, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-12-03T08:43:22.870+0100"}}}
2020-12-03T08:43:23.165+0100	INFO	instance/beat.go:299	Setup Beat: filebeat; Version: 7.9.1
2020-12-03T08:43:23.165+0100	INFO	[add_cloud_metadata]	add_cloud_metadata/add_cloud_metadata.go:89	add_cloud_metadata: hosting provider type not detected.
2020-12-03T08:43:23.167+0100	INFO	eslegclient/connection.go:99	elasticsearch url: https://10.55.250.123:9305
2020-12-03T08:43:23.167+0100	INFO	[publisher]	pipeline/module.go:113	Beat name: elastic-master-01
2020-12-03T08:43:23.169+0100	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2020-12-03T08:43:23.169+0100	INFO	instance/beat.go:450	filebeat start running.
2020-12-03T08:43:23.172+0100	INFO	memlog/store.go:119	Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=8120546
2020-12-03T08:43:24.312+0100	INFO	memlog/store.go:124	Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=8143608
2020-12-03T08:43:24.313+0100	INFO	[registrar]	registrar/registrar.go:109	States Loaded from registrar: 34
2020-12-03T08:43:24.314+0100	INFO	[crawler]	beater/crawler.go:71	Loading Inputs: 2
2020-12-03T08:43:24.316+0100	INFO	beater/crawler.go:148	Stopping Crawler
2020-12-03T08:43:24.317+0100	INFO	beater/crawler.go:158	Stopping 0 inputs
2020-12-03T08:43:24.317+0100	INFO	beater/crawler.go:178	Crawler stopped
2020-12-03T08:43:24.317+0100	INFO	[registrar]	registrar/registrar.go:132	Stopping Registrar
2020-12-03T08:43:24.317+0100	INFO	[registrar]	registrar/registrar.go:166	Ending Registrar
2020-12-03T08:43:24.325+0100	INFO	[registrar]	registrar/registrar.go:137	Registrar stopped
2020-12-03T08:43:24.329+0100	INFO	[monitoring]	log/log.go:153	Total non-zero metrics	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":130,"time":{"ms":132}},"total":{"ticks":1380,"time":{"ms":1388},"value":1380},"user":{"ticks":1250,"time":{"ms":1256}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":8},"info":{"ephemeral_id":"e916b486-0352-48b2-817a-f37b81cab058","uptime":{"ms":1213}},"memstats":{"gc_next":7525344,"memory_alloc":5754104,"memory_total":66574304,"rss":35659776},"runtime":{"goroutines":11}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0.08,"5":0.07,"norm":{"1":0,"15":0.04,"5":0.035}}}}}}
2020-12-03T08:43:24.330+0100	INFO	[monitoring]	log/log.go:154	Uptime: 1.217955777s
2020-12-03T08:43:24.330+0100	INFO	[monitoring]	log/log.go:131	Stopping metrics logging.
2020-12-03T08:43:24.330+0100	INFO	instance/beat.go:456	filebeat stopped.
2020-12-03T08:43:24.330+0100	ERROR	instance/beat.go:951	Exiting: Failed to start crawler: creating module reloader failed: fileset cisco/asa is configured but doesn't exist
Exiting: Failed to start crawler: creating module reloader failed: fileset cisco/asa is configured but doesn't exist

When I just switch module cisco/asa to enabled:false, everything starts up correctly.
All modules files are owned by root with 755 permissions.
Is there something wrong with this module at 7.9.1 filebeat version?

Rafal_Radziejewski · December 3, 2020, 8:13am

version update:
Elasticsearch-oss 7.9.1 + OpenDistro & Wazuh plugins.
Filebeat-oss 7.9.1

Stillt he same behaviour as in above post, please help

Dain.Perkins · December 4, 2020, 8:10pm

@Rafal_Radziejewski

The Cisco modules are not included in the OSS version of Filebeat, you will need to run the Basic licensed version: https://www.elastic.co/downloads/beats/filebeat

system · January 1, 2021, 10:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.