Filebeat PANW Module Not Working

Hello,

We configure the PANW module in filebeat and it is not forwarding syslogs to elasticsearch. I am seeing syslogs coming in on UDP 514 and also see filebeat listening on udp 514, but not forwarding logs properly.

# Module: panw
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.5/filebeat-module-panw.html

- module: panw
  panos:
    enabled: true
    var.input: "syslog"
    var.syslog_host: 0.0.0.0
    var.syslog_port: 514
    # Set which input to use between syslog (default) or file.
    #var.input:

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
Netid              State                Recv-Q               Send-Q                              Local Address:Port                               Peer Address:Port
udp                UNCONN               0                    0                                   127.0.0.53%lo:53                                      0.0.0.0:*                   users:(("systemd-resolve",pid=18201,fd=12))
udp                UNCONN               0                    0                                               *:514                                           *:*                   users:(("filebeat",pid=10465,fd=16))
udp                UNCONN               0                    0                                               *:2055                                          *:*                   users:(("filebeat",pid=10465,fd=15))
tcp                LISTEN               0                    128                                 127.0.0.53%lo:53                                      0.0.0.0:*                   users:(("systemd-resolve",pid=18201,fd=13))
tcp                LISTEN               0                    128                                       0.0.0.0:22                                      0.0.0.0:*                   users:(("sshd",pid=1071,fd=3))
tcp                LISTEN               0                    128                                          [::]:22                                         [::]:*                   users:(("sshd",pid=1071,fd=4))

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
18:28:13.360406 IP 10.0.5.9.49569 > 10.0.36.245.514: SYSLOG local4.info, length: 1206
18:28:13.466373 IP 10.0.5.9.34011 > 10.0.36.245.514: SYSLOG local4.info, length: 1204
18:28:16.466468 IP 10.0.5.9.49569 > 10.0.36.245.514: SYSLOG local4.info, length: 1211
18:28:20.361454 IP 10.0.5.9.34011 > 10.0.36.245.514: SYSLOG local4.info, length: 1205
18:28:20.466465 IP 10.0.5.9.49569 > 10.0.36.245.514: SYSLOG local4.info, length: 1206
18:28:22.255031 IP 10.0.5.9.34011 > 10.0.36.245.514: SYSLOG local4.info, length: 1204

Any idea what would stop these logs from getting indexed?

Thanks,

Jake

edit /etc/filebeat/filebeat.yml

--- filebeat.inputs:----

Change to true to enable this input configuration. default is "false"
enabled: true

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.