Filebeat Cisco Module Trouble

Elastic Stack Beats
1

I am struggling to get the filebeat cisco module to report correctly. The pipeline appears to be broken, but I am not proficient enough to discover the problem. What can I provide other than the below to assist in discovering the issue?

Log example -

Sep 9 06:22:25 ms3elastic filebeat[5140]: 2020-09-09T06:22:25.858Z#011WARN#011[elasticsearch]#011elasticsearch/client.go:407#011Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfce3b082d5807c5, ext:21167714728650, loc:(*time.Location)(0x607c540)}, Meta:{"pipeline":"filebeat-7.9.1-cisco-asa-asa-ftd-pipeline","truncated":false}, Fields:{"agent":{"ephemeral_id":"517ed516-69ba-4241-a172-f874cba40bea","hostname":"ms3elastic","id":"9b1a3f57-461f-48d6-be16-5db97d14830a","name":"ms3elastic","type":"filebeat","version":"7.9.1"},"ecs":{"version":"1.5.0"},"event":{"dataset":"cisco.asa","module":"cisco","timezone":"+00:00"},"fileset":{"name":"asa"},"input":{"type":"udp"},"log":{"source":{"address":"10.254.254.1:514"}},"message":"\u003c190\u003eSep 09 2020 01:22:24: %ASA-6-302015: Built inbound UDP connection 255031023 for Outside:10.254.1.11/56156 (10.254.1.11/56156)(LOCAL\Elastic_Svc) to Inside:10.3.150.22/53 (10.3.150.22/53) (Elastic_Svc)\n","service":{"type":"cisco"},"tags":["cisco-asa","forwarded"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [source.nat.port] of type [long] in document with id 'u_2HcXQBYdSUCx4jmCgd'. Preview of field's value: '56156)(LOCAL\\Elastic_Svc'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: "56156)(LOCAL\\Elastic_Svc""}}

filebeat.yml

filebeat.inputs:

  • type: log
    enabled: false
    paths:
    • /var/log/.log
      filebeat.config.modules:
      path: ${path.config}/modules.d/      .yml
      setup.template.settings:
      index.number_of_shards: 1
      cloud.id: "merrimac-internal:XXXXXXXXXX"
      cloud.auth: "elastic:XXXXXXXXX"
      processors:
    • add_host_metadata:
      when.not.contains.tags: forwarded
    • add_cloud_metadata: ~
    • add_docker_metadata: ~
    • add_kubernetes_metadata: ~
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.