Dear support,
I have deployed the latest version 7.9 filebeat to include sonicwall syslog logs, i have enabled the sonicwall module, however the events in discover keep throwing the dissect_parsing_error.
Below are some of the logs and event details.
{
"_index": "filebeat-7.9.0-2020.08.19-000001",
"_type": "_doc",
"_id": "ILQVBnQBo9uiWCRbv6b8",
"_score": 1,
"_source": {
"agent": {
"hostname": "QIIC-MEELA",
"name": "QIIC-MEELA",
"id": "b1156225-0bcf-414b-939c-1ac78d480465",
"ephemeral_id": "b48dd00e-0f65-45e8-bb33-6fd4174eef8a",
"type": "filebeat",
"version": "7.9.0"
},
"log": {
"flags": [
"dissect_parsing_error"
],
"syslog": {
"severity": {
"code": 6
},
"priority": 134,
"facility": {
"code": 16
}
},
"source": {
"address": "172.20.10.241:52355"
}
},
"fileset": {
"name": "firewall"
},
"tags": [
"sonicwall.firewall",
"forwarded"
],
"input": {
"type": "udp"
},
"observer": {
"product": "Firewalls",
"vendor": "Sonicwall",
"type": "Firewall"
},
"@timestamp": "2020-08-19T09:38:42.216Z",
"ecs": {
"version": "1.5.0"
},
"service": {
"type": "sonicwall"
},
"event": {
"original": "<134>Aug 19 12:38:42 PMFW.qiic.net.qa 1,2020/08/19 12:38:41,016201003266,TRAFFIC,drop,2049,2020/08/19 12:38:41,194.180.224.130,78.100.126.66,0.0.0.0,0.0.0.0,Block Malicious IPs - Inbound,,,not-applicable,vsys1,WAN2,WAN2,ethernet1/5,,qiic-log-forward,2020/08/19 12:38:41,0,1,47187,22,0,0,0x0,tcp,deny,60,60,0,1,2020/08/19 12:38:39,0,any,0,163620434,0x0,United States,Qatar,0,1,0,policy-deny,0,0,0,0,,PMFW,from-policy,,,0,,0,,N/A,0,0,0,0",
"module": "sonicwall",
"dataset": "sonicwall.firewall"
}
},
"fields": {
"@timestamp": [
"2020-08-19T09:38:42.216Z"
],
"suricata.eve.timestamp": [
"2020-08-19T09:38:42.216Z"
]
}
}
Below is the debug log from filebeat..
2020-08-19T12:35:49.021+0300 DEBUG [elasticsearch] elasticsearch/client.go:229 PublishEvents: 1 events have been published to elasticsearch in 31.0839ms.
2020-08-19T12:35:49.021+0300 DEBUG [publisher] memqueue/ackloop.go:160 ackloop: receive ack [1: 0, 1]
2020-08-19T12:35:49.021+0300 DEBUG [publisher] memqueue/eventloop.go:535 broker ACK events: count=1, start-seq=2, end-seq=2
2020-08-19T12:35:49.021+0300 DEBUG [acker] beater/acker.go:64 stateless ack {"count": 1}
2020-08-19T12:35:49.021+0300 DEBUG [publisher] memqueue/ackloop.go:128 ackloop: return ack to broker loop:1
2020-08-19T12:35:49.021+0300 DEBUG [publisher] memqueue/ackloop.go:131 ackloop: done send ack
2020-08-19T12:35:55.721+0300 DEBUG [input] input/input.go:139 Run input
2020-08-19T12:35:56.274+0300 DEBUG [processors] processing/processors.go:187 Publish event: {
"@timestamp": "2020-08-19T06:35:56.000Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.9.0",
"truncated": false,
"pipeline": "filebeat-7.9.0-sonicwall-firewall-pipeline"
},
"ecs": {
"version": "1.5.0"
},
"tags": [
"sonicwall.firewall",
"forwarded"
],
"event": {
"module": "sonicwall",
"dataset": "sonicwall.firewall",
"original": "<133> id=firewall sn=C0EAE46A7804 time="2020-08-19 09:35:56 UTC" fw=2.2.2.2 pri=5 c=128 m=37 msg="UDP packet dropped" n=222931952 src=172.20.20.9:54940:X2-V20 dst=239.255.255.250:1900 srcMac=44:8a:5b:b6:16:5c dstMac=01:00:5e:7f:ff:fa proto=udp/1900",
"code": "37"
},
"related": {
"ip": [
"172.20.20.9",
"239.255.255.250"
]
},
"destination": {
"ip": [
"239.255.255.250"
],
"mac": "01:00:5e:7f:ff:fa",
"port": 1900
},
"log": {
"source": {
"address": "172.20.10.1:514"
},
"flags": [
"dissect_parsing_error"
],
"syslog": {
"severity": {
"code": 5
},
"facility": {
"code": 16
},
"priority": 133
}
},
"observer": {
"vendor": "Sonicwall",
"product": "Firewalls",
"type": "Firewall",
"ingress": {
"interface": {
"name": "X2-V20"
}
}
},
"fileset": {
"name": "firewall"
},
"service": {
"type": "sonicwall"
},
"source": {
"ip": [
"172.20.20.9"
],
"port": 54940,
"mac": "44:8a:5b:b6:16:5c"
},
"rsa": {
"network": {
"sinterface": "X2-V20"
},
"time": {
"event_time": "2020-08-19T06:35:56.000Z"
},
"internal": {
"messageid": "37"
}
},
"agent": {
"version": "7.9.0",
"hostname": "QIIC-MEELA",
"ephemeral_id": "b48dd00e-0f65-45e8-bb33-6fd4174eef8a",
"id": "b1156225-0bcf-414b-939c-1ac78d480465",
"name": "QIIC-MEELA",
"type": "filebeat"
},
"input": {
"type": "udp"
}
}