Hi Everyone,
I have enabled the fortinet/firewall module all looks great i see traffic being received at in the filebeat logs but never forwarded to elastic, can someone please point me in the right direction ?
filebeat.yml config:
logging.to_stder: true
logging.level: debug
setup.template.name: "logs_k8s"
setup.template.pattern: "logs_*"
filebeat.modules:
- module: fortinet
firewall:
enabled: true
var.input: tcp
var.syslog_host: "0.0.0.0"
var.syslog_port: 9004
setup.ilm.enabled: false
ilm.enabled: false
logging.metrics.enabled: false
output.elasticsearch:
enabled: true
index: "logs_forti"
hosts: ['localhost:9200']
fortinet.yml
filebeat.modules:
- module: fortinet
firewall:
enabled: true
var.input: tcp
var.syslog_host: "0.0.0.0"
var.syslog_port: 9004
2020-11-02T09:05:40.204Z INFO instance/beat.go:647 Home path: [/usr/share/filebeat] Config path: [//filebeat/logs]
2020-11-02T09:05:40.204Z DEBUG [beat] instance/beat.go:699 Beat metadata path: /usr/share/filebeat/
2020-11-02T09:05:40.204Z INFO instance/beat.go:655 Beat ID: 76a6ab0b-7cbb-4948-8881-bbd9ce0f4d3e
2020-11-02T09:05:40.204Z DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccom","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","chmod","chown","clock_gettime","c"epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchmodat","fchown","fchownat","fcntl","fdatasyetdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname"1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","mread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat"","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","nk","unlinkat","wait4","waitid","write","writev"],"action":"allow"}]}}}
2020-11-02T09:05:40.204Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully inst
2020-11-02T09:05:40.205Z INFO [beat] instance/beat.go:983 Beat info {"system_info": {"beat":"home": "/usr/share/filebeat", "logs": "/usr/share/filebeat/logs"}, "type": "filebeat", "uuid": "76a6ab0b-7cbb-4
2020-11-02T09:05:40.205Z INFO [beat] instance/beat.go:992 Build info {"system_info": {"build"me": "2020-07-21T15:12:45.000Z", "version": "7.8.1"}}}
2020-11-02T09:05:40.206Z INFO [beat] instance/beat.go:995 Go runtime info {"system_info": {"go": {
2020-11-02T09:05:40.206Z INFO [beat] instance/beat.go:999 Host info {"system_info": {"host":e,"name":"21df9483e813","ip":["127.0.0.1/8","172.17.0.2/16"],"kernel_version":"5.3.0-1032-aws","mac":["02:42:ac:rsion":"7 (Core)","major":7,"minor":8,"patch":2003,"codename":"Core"},"timezone":"UTC","timezone_offset_sec":0,"
2020-11-02T09:05:40.207Z INFO [beat] instance/beat.go:1028 Process info {"system_info": {"procesill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"percap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_overri_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill",udit_write","setfcap"],"ambient":null}, "cwd": "/usr/share/filebeat", "exe": "/usr/share/filebeat/filebeat", "na:true}, "start_time": "2020-11-02T09:05:38.860Z"}}}
2020-11-02T09:05:40.207Z INFO instance/beat.go:310 Setup Beat: filebeat; Version: 7.8.1
2020-11-02T09:05:40.207Z DEBUG [beat] instance/beat.go:336 Initializing output plugins
2020-11-02T09:05:40.207Z INFO eslegclient/connection.go:99 elasticsearch url: http://localhost:9200
2020-11-02T09:05:40.208Z DEBUG [publisher] pipeline/consumer.go:137 start pipeline event con
2020-11-02T09:05:40.208Z INFO [publisher] pipeline/module.go:113 Beat name: 21df9483e813
2020-11-02T09:05:40.213Z INFO beater/filebeat.go:96 Enabled modules/filesets: fortinet (firewall),
2020-11-02T09:05:40.214Z INFO instance/beat.go:463 filebeat start running.
2020-11-02T09:05:40.214Z DEBUG [test] registrar/migrate.go:159 isFile(/usr/share/filebeat/data/
2020-11-02T09:05:40.214Z DEBUG [test] registrar/migrate.go:159 isFile() -> false
2020-11-02T09:05:40.214Z DEBUG [test] registrar/migrate.go:152 isDir(/usr/share/filebeat/data/r
2020-11-02T09:05:40.214Z DEBUG [test] registrar/migrate.go:159 isFile(/usr/share/filebeat/data/
2020-11-02T09:05:40.214Z DEBUG [registrar] registrar/migrate.go:51 Registry type '0' found
2020-11-02T09:05:40.215Z DEBUG [registrar] registrar/registrar.go:125 Registry file set to: /u
2020-11-02T09:05:40.215Z INFO registrar/registrar.go:145 Loading registrar data from /usr/share/f
2020-11-02T09:05:40.215Z INFO registrar/registrar.go:152 States Loaded from registrar: 0
2020-11-02T09:05:40.215Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2020-11-02T09:05:40.215Z DEBUG [registrar] registrar/registrar.go:278 Starting Registrar
2020-11-02T09:05:40.215Z DEBUG [processors] processors/processor.go:101 Generated new processors
2020-11-02T09:05:40.215Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 155424624740
2020-11-02T09:05:40.216Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs comp
2020-11-02T09:05:40.216Z INFO [input.tcp] tcp/input.go:110 Starting TCP input {"addres
2020-11-02T09:05:40.220Z INFO [tcp] common/listener.go:89 Started listening for TCP connection
2020-11-02T09:05:44.190Z DEBUG [tcp] common/listener.go:132 New client {"address": "0.0.0.0:900
2020-11-02T09:05:50.220Z DEBUG [input] input/input.go:141 Run input
2020-11-02T09:06:00.221Z DEBUG [input] input/input.go:141 Run input
2020-11-02T09:06:10.221Z DEBUG [input] input/input.go:141 Run input