Filebeat PANW Module Not Working (continued)

Elastic Stack Beats
1

Continuing the discussion from Filebeat PANW Module Not Working:

I have added true to /etc/filebeat/filebeat.yml with no change in behavior.

filebeat.inputs:
- type: log
  # Change to true to enable this input configuration.
  enabled: true

I am still seeing the Palo Alto traffic arriving, just not being forwarded to elasticsearch.

2

hi @savethebyte, you can continue the discussion in the original discuss ticket, opening a new one each time might make the conversation harder to follow.
What do you see in the filebeat logs, can you enable debug logging first and run filebeat?

3

I enabled debug logging and I am seeing the logs showing up in log file but not in kibana.

 "message": "Apr  1 21:58:28 chil-pan-01.acme.com 1,2020/04/01 21:58:28,001801008550,TRAFFIC,end,2304,2020/04/01 21:58:28,172.20.251.67,172.17.1.160,0.0.0.0,0.0.0.0,SDWAN Traffic In,acme\\jsmith,acme\\asmith,dns,vsys1,SDWAN WAN,SDWAN LAN,ethernet1/9.996,ethernet1/9.995,ScienceLogic Forwarding,2020/04/01 21:58:28,157439,1,51000,53,0,0,0x100019,udp,allow,447,92,355,2,2020/04/01 21:57:57,0,any,0,9289264301,0x0,172.16.0.0-172.31.255.255,172.16.0.0-172.31.255.255,0,1,1,aged-out,0,0,0,0,,chil-pan-01,from-policy,,,0,,0,,N/A,0,0,0,0,9e4c0655-87f0-4e6e-9c22-77be394eeed8,0",
      "tags": [
        "pan-os"
      ],
      "service": {
        "type": "panw"
      },
      "event": {
        "outcome": "allow",
        "start": "2020/04/01 21:57:57",
        "duration": "0",
        "module": "panw",
        "dataset": "panw.panos",
        "timezone": "+00:00",
        "created": "2020/04/01 21:58:28"
      },
      "source": {
        "user": {
          "name": "acme\\jsmith"
        },
        "port": "51000",
        "bytes": "355",
        "packets": "1",
        "address": "172.20.251.67",
        "ip": "172.20.251.67",
        "nat": {
          "ip": "0.0.0.0",
          "port": "0"
        }
      },
      "input": {
        "type": "log"
      },
      "destination": {
        "address": "172.17.1.160",
        "nat": {
          "ip": "0.0.0.0",
          "port": "0"
        },
        "user": {
          "name": "acme\\asmith"
        },
        "port": "53",
        "bytes": "92",
        "packets": "1",
        "ip": "172.17.1.160"
      },
      "network": {
        "bytes": "447",
        "packets": "2",
        "community_id": "1:x/xfsr8+xKfVP/JxzyLUquTwVs4=",
        "application": "dns",
        "transport": "udp"
      },
      "host": {
        "name": "logstash-dev",
        "architecture": "x86_64",
        "os": {
          "name": "Ubuntu",
          "kernel": "4.15.0-74-generic",
          "codename": "bionic",
          "platform": "ubuntu",
          "version": "18.04.3 LTS (Bionic Beaver)",
          "family": "debian"
        },
        "id": "27077bc4aa8a4190a09ea8b741456870",
        "containerized": false,
        "hostname": "logstash-dev"
      }
    }
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.