Hi guys,
so i i'm using filebeat modules (asa,cisco,fortinet and palo alto) to parse the syslogs of different firewalls.
Everything is working fine, expect for the pan module:
I enabled the module - and configured the module file in /etc/filebeat/modules.d/
After that i checked if the Port is open:
udp 0 0 X.X.X.X:9004 0.0.0.0:* 22401/filebeat
So that's also working fine -
if i check the port via tcpdump - i can see the PaloAlto Firewall sending packets to this port:
16:08:25.769682 IP X.X.X.X.51664 > my.server.com.9004: UDP, length 462
16:08:25.826543 IP X.X.X.X.51664 > my.server.com.9004: UDP, length 462
it does so every few miliseconds. So there is something coming in through this port!
But i cannot see any data in my Kibana - the firewall sent logs until 31st of July just fine - but since then there's nothing.
The Palo Alto is using the Default Syslog-Format - not LEEF
I cannot see any errors in the filebeat logs.
I checked the firewall rule enabling the PaloAlto to send towards the ELK-Stack - it manages about 5-10gbit in one hour.
I also checked for an ingestpipeline for PaloAlto - it is there - i also redid the Setup of Filebeat.
I just don't know what i can do anymore - anything else works just fine.
I'm using version 7.8 in ES aswell as in Filebeat and Kibana - running on a CentOS 7 Cluster