Hi. I'm trying to set up the Filebeat Cisco module with the Umbrella fileset. I understand that they do not yet support Cisco managed S3 instances but I see that you can set the input to be file. I can't find anything about how to actually set this up though. I have a script that is syncing the .gz files locally on my server. I assume that I then need a var.path which I set to the location that I am downloading the files but nothing seems to happen. I even unzipped one of the files and moved it to /var/lib/umbrella/ and still nothing. Here is my cisco.yml from modules.d:
# Module: cisco
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-cisco.html
- module: cisco
asa:
enabled: false
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 9001
# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
#var.log_level: 7
ftd:
enabled: false
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9003.
#var.syslog_port: 9003
# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
#var.log_level: 7
ios:
enabled: false
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9002.
#var.syslog_port: 9002
# Set custom paths for the log files when using file input. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
nexus:
enabled: false
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9506
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
meraki:
enabled: false
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9525
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
umbrella:
enabled: true
var.input: file
var.paths: ["/var/lib/umbrella/*"]
# AWS SQS queue url
#var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue
# Access ID to authenticate with the S3 input
#var.access_key_id: 123456
# Access key to authenticate with the S3 input
#var.secret_access_key: PASSWORD
# The duration that the received messages are hidden from ReceiveMessage request
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
#var.api_timeout: 120s