Filebeat - Cisco Module doesn't accept logs from other sources that itsself

Moritz_Kiesewetter · May 15, 2020, 9:21am

Hey Guys,

i've installed Filebeat on the 2 Data-Nodes in my Elk-Cluster.
Some Information on my Cluster:
Cluster Version: 7.6
Filebeat Version: 7.7
Hosts: CentOS 7

Now i want to send logs from Cisco Switches to this Cluster - i've activated the Cisco Plugin in Filebeat - and configured the cisco.yml file in /modules.d/:

- module: cisco
 #asa:
  #  enabled: true

    # Set which input to use between syslog (default) or file.
    #var.input: syslog

    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost

    # The UDP port to listen for syslog traffic. Defaults to 9001.
    #var.syslog_port: 9001

    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
    #var.log_level: 7

 # ftd:
  #  enabled: true

    # Set which input to use between syslog (default) or file.
    #var.input: syslog

    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost

    # The UDP port to listen for syslog traffic. Defaults to 9003.
    #var.syslog_port: 9003

    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
    #var.log_level: 7

  ios:
    enabled: true

    # Set which input to use between syslog (default) or file.
    var.input: syslog

    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    var.syslog_host: 0.0.0.0

    # The UDP port to listen for syslog traffic. Defaults to 9002.
    var.syslog_port: 9002

    # Set custom paths for the log files when using file input. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Now if i check with

netstat -tulnp

I can see that the Port 9002 is bind to 0.0.0.0:

udp6 0 0 :::9002 :::*

If i check with TCP-Dump i can see that there are incoming connections on this port - but i cannot see any files in the Index.
Now if i send an Error log via nc:

nc X.X.X.X 9002 < cisco.snip

from the host X.X.X.X itsself it works - but not from any other Server from the network?
What did i do wrong?

system · June 12, 2020, 9:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cisco Logs Module - No logs received Beats filebeat	1	375	November 23, 2023
Incoming logs from Cisco switches don't appear in filebeat-* indexes Beats filebeat	3	458	August 18, 2020
Send syslog to Filebeat server Beats filebeat	28	2208	November 1, 2023
Cisco iOS integration - No data has been received from this module yet Beats filebeat	2	203	April 4, 2024
Sending syslog to FileBeat from Cisco Asa Beats filebeat	4	2920	July 17, 2019

Filebeat - Cisco Module doesn't accept logs from other sources that itsself

Related topics