Filebeat fortinet module not indexing after upgrading it and kibana to 7.10.0,

jonjon · November 17, 2020, 5:32pm

I upgraded Kibana and filebeat to 7.10.0 and my Fortinet logs aren't being indexed anymore. Looking at the logs, it looks like I am filebeat is connected to Kibana but I am getting several of these messages below and logs aren't indexed. Winlogbeat and Logstash are working fine after the upgrade

Non-zero metrics in the last 30s

Config files below:

filebeat.yml:

- type: log

  enabled: false


  paths:
    - /var/log/*.log


filebeat.config.modules:

  path: ${path.config}/modules.d/*.yml


  reload.enabled: false




setup.template.settings:
  index.number_of_shards: 1




output.elasticsearch:
  
  hosts: ["192.168.1.119:9200"]

  


processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

fortinet.yml

# Module: fortinet
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-fortinet.html

- module: fortinet
  firewall:
    enabled: true

    var.syslog_host: 0.0.0.0


    var.syslog_port: 5514

  clientendpoint:
    enabled: true

    

  fortimail:
    enabled: true

    
  fortimanager:
    enabled: true

logs:

2020-07-28T09:13:38.119-0700	INFO	instance/beat.go:647	Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-07-28T09:13:38.120-0700	INFO	instance/beat.go:655	Beat ID: ec968893-7887-471c-91da-8c50a3c33fe6
2020-07-28T09:13:38.126-0700	INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
2020-07-28T09:13:38.126-0700	INFO	[beat]	instance/beat.go:983	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "ec968893-7887-471c-91da-8c50a3c33fe6"}}}
2020-07-28T09:13:38.126-0700	INFO	[beat]	instance/beat.go:992	Build info	{"system_info": {"build": {"commit": "f79387d32717d79f689d94fda1ec80b2cf285d30", "libbeat": "7.8.0", "time": "2020-06-14T18:15:37.000Z", "version": "7.8.0"}}}
2020-07-28T09:13:38.126-0700	INFO	[beat]	instance/beat.go:995	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.13.10"}}}
2020-07-28T09:13:38.128-0700	INFO	[beat]	instance/beat.go:999	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-07-28T09:12:14-07:00","containerized":false,"name":"elk-vm","ip":["127.0.0.1/8","::1/128","192.168.1.119/24","fe80::c015:4583:d2f6:dea7/64"],"kernel_version":"5.4.0-42-generic","mac":["00:0c:29:96:9c:19"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.4 LTS (Bionic Beaver)","major":18,"minor":4,"patch":4,"codename":"bionic"},"timezone":"PDT","timezone_offset_sec":-25200,"id":"00c9d310251042a98c0459fb0266d49a"}}}
2020-07-28T09:13:38.128-0700	INFO	[beat]	instance/beat.go:1028	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/home/jon", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 2328, "ppid": 2277, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-07-28T09:13:37.130-0700"}}}
2020-07-28T09:13:38.128-0700	INFO	instance/beat.go:310	Setup Beat: filebeat; Version: 7.8.0
2020-07-28T09:13:38.129-0700	INFO	[index-management]	idxmgmt/std.go:183	Set output.elasticsearch.index to 'filebeat-7.8.0' as ILM is enabled.
2020-07-28T09:13:38.130-0700	INFO	eslegclient/connection.go:97	elasticsearch url: http://192.168.1.119:9200
2020-07-28T09:13:38.130-0700	INFO	[publisher]	pipeline/module.go:113	Beat name: elk-vm
2020-07-28T09:13:38.133-0700	INFO	beater/filebeat.go:96	Enabled modules/filesets: fortinet (firewall)
2020-07-28T09:13:38.134-0700	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2020-07-28T09:13:38.134-0700	INFO	instance/beat.go:463	filebeat start running.
2020-07-28T09:13:38.135-0700	INFO	registrar/registrar.go:145	Loading registrar data from /var/lib/filebeat/registry/filebeat/data.json
2020-07-28T09:13:38.135-0700	INFO	registrar/registrar.go:152	States Loaded from registrar: 25
2020-07-28T09:13:38.135-0700	INFO	[crawler]	beater/crawler.go:71	Loading Inputs: 2
2020-07-28T09:13:38.136-0700	INFO	[crawler]	beater/crawler.go:141	Starting input (ID: %d)15116849340234315384
2020-07-28T09:13:38.137-0700	INFO	udp/input.go:103	Starting UDP input
2020-07-28T09:13:38.137-0700	INFO	[udp]	udp/server.go:81	Started listening for UDP connection	{"address": "localhost:9004"}
2020-07-28T09:13:38.138-0700	INFO	[crawler]	beater/crawler.go:108	Loading and starting Inputs completed. Enabled inputs: 1
2020-07-28T09:13:38.138-0700	INFO	cfgfile/reload.go:164	Config reloader started
2020-07-28T09:13:38.139-0700	INFO	eslegclient/connection.go:97	elasticsearch url: http://192.168.1.119:9200
2020-07-28T09:13:38.166-0700	INFO	[esclientleg]	eslegclient/connection.go:306	Attempting to connect to Elasticsearch version 7.6.2
2020-07-28T09:13:38.185-0700	INFO	cfgfile/reload.go:224	Loading of config files completed.
2020-07-28T09:13:38.185-0700	INFO	udp/input.go:103	Starting UDP input
2020-07-28T09:13:38.185-0700	ERROR	udp/input.go:106	Error running harvester: listen udp 0.0.0.0:5514: bind: address already in use
2020-07-28T09:13:41.122-0700	INFO	[add_cloud_metadata]	add_cloud_metadata/add_cloud_metadata.go:89	add_cloud_metadata: hosting provider type not detected.
2020-07-28T09:14:08.136-0700	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":140,"time":{"ms":147}},"total":{"ticks":180,"time":{"ms":194},"value":180},"user":{"ticks":40,"time":{"ms":47}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":12},"info":{"ephemeral_id":"ea6861c2-3e89-46d2-9c94-933bc8105de4","uptime":{"ms":30163}},"memstats":{"gc_next":11462608,"memory_alloc":8252536,"memory_total":20441040,"rss":55885824},"runtime":{"goroutines":26}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1,"scans":1},"output":{"type":"elasticsearch"},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":4},"load":{"1":3.08,"15":0.64,"5":1.67,"norm":{"1":0.77,"15":0.16,"5":0.4175}}}}}}
2020-07-28T09:14:38.135-0700	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":150,"time":{"ms":4}},"total":{"ticks":190,"time":{"ms":5},"value":190},"user":{"ticks":40,"time":{"ms":1}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":12},"info":{"ephemeral_id":"ea6861c2-3e89-46d2-9c94-933bc8105de4","uptime":{"ms":60163}},"memstats":{"gc_next":11462608,"memory_alloc":8690800,"memory_total":20879304},"runtime":{"goroutines":26}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":1.99,"15":0.63,"5":1.54,"norm":{"1":0.4975,"15":0.1575,"5":0.385}}}}}}
2020-07-28T09:15:08.135-0700	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":150,"time":{"ms":4}},"total":{"ticks":200,"time":{"ms":6},"value":200},"user":{"ticks":50,"time":{"ms":2}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"ea6861c2-3e89-46d2-9c94-933bc8105de4","uptime":{"ms":90163}},"memstats":{"gc_next":11462608,"memory_alloc":9015048,"memory_total":21203552},"runtime":{"goroutines":24}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":1.29,"15":0.62,"5":1.41,"norm":{"1":0.3225,"15":0.155,"5":0.3525}}}}}}
2020-07-28T09:15:38.137-0700	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":160,"time":{"ms":9}},"total":{"ticks":210,"time":{"ms":10},"value":210},"user":{"ticks":50,"time":{"ms":1}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"ea6861c2-3e89-46d2-9c94-933bc8105de4","uptime":{"ms":120165}},"memstats":{"gc_next":11704080,"memory_alloc":9012552,"memory_total":21433328,"rss":675840},"runtime":{"goroutines":24}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.85,"15":0.6,"5":1.29,"norm":{"1":0.2125,"15":0.15,"5":0.3225}}}}}}
2020-07-28T09:16:08.138-0700	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":170,"time":{"ms":7}},"total":{"ticks":220,"time":{"ms":8},"value":220},"user":{"ticks":50,"time":{"ms":1}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"ea6861c2-3e89-46d2-9c94-933bc8105de4","uptime":{"ms":150164}},"memstats":{"gc_next":11704080,"memory_alloc":6269424,"memory_total":21851736},"runtime":{"goroutines":24}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.58,"15":0.59,"5":1.18,"norm":{"1":0.145,"15":0.1475,"5":0.295}}}}}}
2020-07-28T09:16:38.135-0700	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":170,"time":{"ms":5}},"total":{"ticks":220,"time":{"ms":6},"value":220},"user":{"ticks":50,"time":{"ms":1}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"ea6861c2-3e89-46d2-9c94-933bc8105de4","uptime":{"ms":180164}},"memstats":{"gc_next":11704080,"memory_alloc":6492688,"memory_total":22075000},"runtime":{"goroutines":24}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.83,"15":0.61,"5":1.18,"norm":{"1":0.2075,"15":0.1525,"5":0.295}}}}}}
2020-07-28T09:17:03.870-0700	INFO	beater/filebeat.go:456	Stopping filebeat
2020-07-28T09:17:03.870-0700	INFO	beater/crawler.go:148	Stopping Crawler
2020-07-28T09:17:03.870-0700	INFO	beater/crawler.go:158	Stopping 1 inputs
2020-07-28T09:17:03.870-0700	INFO	cfgfile/reload.go:227	Dynamic config reloader stopped
2020-07-28T09:17:03.870-0700	INFO	[reload]	cfgfile/list.go:118	Stopping 1 runners ...
2020-07-28T09:17:03.870-0700	INFO	input/input.go:138	input ticker stopped
2020-07-28T09:17:03.870-0700	INFO	udp/input.go:118	Stopping UDP input
2020-07-28T09:17:03.870-0700	INFO	[udp]	udp/server.go:140	Stopping UDP server	{"address": "0.0.0.0:5514"}

system · December 15, 2020, 7:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat not sending logs to elastic from fortinet module Beats filebeat	2	365	December 1, 2020
Filebeat fortinet module Beats beats-module , filebeat	1	306	July 19, 2021
Not forwarding filebeat to logstash and no filebeat-* index in kibana Beats filebeat	12	3823	March 7, 2017
Filebeat: Fortinet Module not processing data as it should Beats filebeat	15	1955	June 3, 2021
Filter not working filbert nginx module Beats filebeat	8	468	June 22, 2018

Filebeat fortinet module not indexing after upgrading it and kibana to 7.10.0,

Related topics