Hello,
We configure the PANW module in filebeat and it is not forwarding syslogs to elasticsearch. I am seeing syslogs coming in on UDP 514 and also see filebeat listening on udp 514, but not forwarding logs properly.
# Module: panw
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.5/filebeat-module-panw.html
- module: panw
panos:
enabled: true
var.input: "syslog"
var.syslog_host: 0.0.0.0
var.syslog_port: 514
# Set which input to use between syslog (default) or file.
#var.input:
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=18201,fd=12))
udp UNCONN 0 0 *:514 *:* users:(("filebeat",pid=10465,fd=16))
udp UNCONN 0 0 *:2055 *:* users:(("filebeat",pid=10465,fd=15))
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=18201,fd=13))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1071,fd=3))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1071,fd=4))
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
18:28:13.360406 IP 10.0.5.9.49569 > 10.0.36.245.514: SYSLOG local4.info, length: 1206
18:28:13.466373 IP 10.0.5.9.34011 > 10.0.36.245.514: SYSLOG local4.info, length: 1204
18:28:16.466468 IP 10.0.5.9.49569 > 10.0.36.245.514: SYSLOG local4.info, length: 1211
18:28:20.361454 IP 10.0.5.9.34011 > 10.0.36.245.514: SYSLOG local4.info, length: 1205
18:28:20.466465 IP 10.0.5.9.49569 > 10.0.36.245.514: SYSLOG local4.info, length: 1206
18:28:22.255031 IP 10.0.5.9.34011 > 10.0.36.245.514: SYSLOG local4.info, length: 1204
Any idea what would stop these logs from getting indexed?
Thanks,
Jake