Filebeat Cisco Module: Listening on IPV6 only?

madhatt · April 24, 2020, 7:55pm

I have configured the Cisco module to listen on 0.0.0.0 UDP/514.

If I use echo and netcat to send a message from localhost, I can see it come in (on loopback) with tcpdump, and filebeat parses the message successfully.

If I use the same command on a remote server, I can see it come in (on eth0) with tcpdump but filebeat does not parse the message.

Netstat shows there is a listener on UDP 514 (i.e. syslog), but only udp6. Could this be why the messages are not being parsed by filebeat when coming in on eth0?

netstat -lu output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 127.0.0.53:domain 0.0.0.0:*
udp 0 0 0.0.0.0:snmp 0.0.0.0:*
udp 0 0 0.0.0.0:hostmon 0.0.0.0:*
udp6 0 0 [::]:syslog [::]:*
udp6 0 0 [::]:hostmon [::]:*

Dain.Perkins · May 19, 2020, 1:22am

madhatt,

I've seen similar behavior before, tho admittedly in java apps - try setting the host to be the ipv4 ip you want the system listening on and see if that works. (I've never gotten to the point of actually determining what the root cause of the issue is, but have seen exactly the same behavior where a default ipv4/6 listener only listens on ipv6). I want to say it was an /etc/hosts config that the system was having an issue with, but it was a while ago.

system · June 16, 2020, 1:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat + cisco module - listening on other than localhost Beats beats-module , filebeat	3	1050	February 17, 2020
Filebeat Listening on IPV6 Beats filebeat	1	832	March 9, 2021
Issues with Filebeat and Cisco ASA Parsing Beats filebeat	1	332	October 31, 2019
Filebeat 7.2.0 - Cisco ASA module not parsing IPv6 correctly Beats	1	326	July 24, 2019
Problems parsing Cisco ASA logs using filebeat Beats filebeat	9	3268	October 2, 2019

Filebeat Cisco Module: Listening on IPV6 only?

Related topics