Filebeat - iptables module

sentient · January 29, 2020, 6:38pm

Quick question,
does the filebeat iptables module work when using ufw ?
If is my basic understanding the ufw works on top of iptables.
I do see the ufw events in the syslog, but I don't get any iptables events into SIEM

Kaiyan_Sheng · January 29, 2020, 9:11pm

Hi @sentient, iptables module should be able to parse UFW logs but the custom UFW tag will not be parsed. If it's not working for you, could you please copy paste a log entry as an example for us please? That would be very helpful for debug. Thanks!

sentient · January 29, 2020, 9:54pm

I put it temporary on high verbose logging
'ufw logging high'

'journalctl -f'

Jan 29 21:49:39 kibana kernel: [UFW AUDIT] IN=ens5 OUT= MAC=ed:it:57:c7:c6:bc:02:58:54:a0:be:0c:xx:yy SRC=182.15.12.25 DST=192.168.12.84 LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=40991 DF PROTO=TCP SPT=42226 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
Jan 29 21:49:42 kibana kernel: [UFW ALLOW] IN= OUT=ens5 SRC=192.168.12.84 DST=192.168.0.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=61731 DF PROTO=UDP SPT=33051 DPT=53 LEN=63
Jan 29 21:49:42 kibana kernel: [UFW ALLOW] IN= OUT=ens5 SRC=192.168.12.84 DST=192.168.0.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=61732 DF PROTO=UDP SPT=33051 DPT=53 LEN=63
Jan 29 21:49:42 kibana kernel: [UFW ALLOW] IN= OUT=ens5 SRC=192.168.12.84 DST=192.168.12.217 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2323 DF PROTO=TCP SPT=47380 DPT=8834 WINDOW=62727 RES=0x00 SYN URGP=0
Jan 29 21:49:52 kibana kernel: [UFW ALLOW] IN= OUT=ens5 SRC=192.168.12.84 DST=192.168.0.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=62321 DF PROTO=UDP SPT=35338 DPT=53 LEN=63
Jan 29 21:49:52 kibana kernel: [UFW ALLOW] IN= OUT=ens5 SRC=192.168.12.84 DST=192.168.0.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=62322 DF PROTO=UDP SPT=35338 DPT=53 LEN=63
Jan 29 21:49:52 kibana kernel: [UFW ALLOW] IN= OUT=ens5 SRC=192.168.12.84 DST=192.168.12.217 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38746 DF PROTO=TCP SPT=47382 DPT=8834 WINDOW=62727 RES=0x00 SYN URGP=0
Jan 29 21:49:57 kibana kernel: [UFW AUDIT] IN=ens5 OUT= MAC=ed:it:57:c7:c6:bc:02:58:54:a0:be:0c:xx:yy SRC=182.15.12.25 DST=192.168.12.84 LEN=88 TOS=0x10 PREC=0x00 TTL=63 ID=41026 DF PROTO=TCP SPT=42226 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0
`

system · February 26, 2020, 9:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.