Dear all,
I config filebeat and netflow ( softflowd on pfsense ) but I got issue. Any solution for that? Thanks
systemctl status filebeat -l
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-04-09 21:11:22 +07; 14s ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 10233 (filebeat)
CGroup: /system.slice/filebeat.service
└─10233 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
Apr 09 21:11:22 manager filebeat[10233]: 2020-04-09T21:11:22.230+0700 ERROR [netflow] netflow/input.go:164 Error running harvester: listen udp 192.168.1.23:2055: bind: cannot assign requested address
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.162+0700 INFO pipeline/output.go:95 Connecting to backoff(elasticsearch(https://192.168.1.17:9200))
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.177+0700 INFO elasticsearch/client.go:753 Attempting to connect to Elasticsearch version 7.5.2
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.215+0700 INFO template/load.go:169 Existing template will be overwritten, as overwrite is enabled.
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.216+0700 INFO template/load.go:109 Try loading template wazuh to Elasticsearch
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.259+0700 INFO template/load.go:101 template with name 'wazuh' loaded.
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.259+0700 INFO [index-management] idxmgmt/std.go:293 Loaded index template.
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.260+0700 INFO pipeline/output.go:105 Connection to backoff(elasticsearch(https://192.168.1.17:9200)) established
Apr 09 21:11:32 manager filebeat[10233]: 2020-04-09T21:11:32.231+0700 INFO [netflow] netflow/input.go:153 Starting UDP input
Apr 09 21:11:32 manager filebeat[10233]: 2020-04-09T21:11:32.231+0700 ERROR [netflow] netflow/input.go:164 Error running harvester: listen udp 192.168.1.23:2055: bind: cannot assign requested address
My lsof:
lsof -i | grep filebeat
filebeat 10233 root 3u IPv4 14361498 0t0 TCP manager:51888->manager:wap-wsp (ESTABLISHED)
filebeat 10233 root 6u IPv4 14362667 0t0 TCP manager:51890->manager:wap-wsp (ESTABLISHED)
My filebeat.yml:
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
#filebeat.config.inputs:
# enabled: true
# path: inputs.d/*.yml
filebeat.config.modules:
enabled: true
path: /etc/filebeat/modules.d/*.yml
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch.hosts: ['https://192.168.1.17:9200']
output.elasticsearch.username: "elastic"
output.elasticsearch.password: "<password>"
output.elasticsearch.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca.crt"]
output.elasticsearch.ssl.certificate: "/etc/elasticsearch/certs/node-0.crt"
output.elasticsearch.ssl.key: "/etc/elasticsearch/certs/node-0.key"
My netflow.yml:
# Module: netflow
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.5/filebeat-module-netflow.html
- module: netflow
log:
enabled: true
var:
netflow_host: 192.168.1.23
netflow_port: 2055