Filebeat Module won't process incomming syslogs

Moritz_Kiesewetter · August 18, 2020, 2:16pm

Hi guys,

so i i'm using filebeat modules (asa,cisco,fortinet and palo alto) to parse the syslogs of different firewalls.
Everything is working fine, expect for the pan module:

I enabled the module - and configured the module file in /etc/filebeat/modules.d/
After that i checked if the Port is open:

udp 0 0 X.X.X.X:9004 0.0.0.0:* 22401/filebeat

So that's also working fine -
if i check the port via tcpdump - i can see the PaloAlto Firewall sending packets to this port:

16:08:25.769682 IP X.X.X.X.51664 > my.server.com.9004: UDP, length 462
16:08:25.826543 IP X.X.X.X.51664 > my.server.com.9004: UDP, length 462

it does so every few miliseconds. So there is something coming in through this port!
But i cannot see any data in my Kibana - the firewall sent logs until 31st of July just fine - but since then there's nothing.

The Palo Alto is using the Default Syslog-Format - not LEEF
I cannot see any errors in the filebeat logs.

I checked the firewall rule enabling the PaloAlto to send towards the ELK-Stack - it manages about 5-10gbit in one hour.

I also checked for an ingestpipeline for PaloAlto - it is there - i also redid the Setup of Filebeat.

I just don't know what i can do anymore - anything else works just fine.

I'm using version 7.8 in ES aswell as in Filebeat and Kibana - running on a CentOS 7 Cluster

Moritz_Kiesewetter · August 19, 2020, 6:47am

I've run Filebeat with

filebeat -e -d "*"

and checked the logs - i saw an Event stating

Cannot index event publisher.Event: "caused_by":{"type":"date_time_parse_exception","reason":"Text '2020-08-19T08:38:42.000+02:00' could not be parsed at index 4"}

What can i do?

Moritz_Kiesewetter · August 19, 2020, 7:27am

I've now changed the Date-Format of the Field to yyyy-MM-dd'T'HH:mm:ss.SSSZ, even tho i feared it would trouble my ASA & Fortinet Module - i do not see any parsing errors in the filebeat log.

Afterwards i restarted the services - but i still get this error message:

failed to parse field [event.created] of type [date] in document with id 'ykmhBXQBSiPY17LNhR8m'. Preview of field's value: '2020-08-19T09:31:38.000+02:00'","caused_by":{"type":"illegal_argument_exception","reason":"failed to parse date field [2020-08-19T09:31:38.000+02:00] with format [yyyy/mm/dd HH:mm:ss]","caused_by":{"type":"date_time_parse_exception","reason":"Text '2020-08-19T09:31:38.000+02:00' could not be parsed at index 4"}}}

Why is it still using the old format to parse this?

system · September 16, 2020, 9:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.