Hi,
I got filebeat running on a pfsense box (using pkgadd beat package):
filebeat version 5.4.3 (amd64), libbeat 5.4.3
I have configured my filebeat agent to grab logs from a path where logs from 2 snort interfaces are located:
ls -alrt /var/log/snort/
total 39
drwxr-xr-x 4 root wheel 5 Feb 7 22:38 .
drwxr-xr-x 8 root wheel 32 Feb 9 18:55 ..
-rw-r--r-- 1 root wheel 67093 Feb 27 12:04 snort_rules_update.log
drwxr-xr-x 3 root wheel 8 Feb 27 12:06 snort_em1.536159
drwxr-xr-x 3 root wheel 6 Feb 27 12:31 snort_pppoe064290
in each snort folders, an alert file is present which contains the alerts:
[2.4.2-RELEASE][admin@pf]/root: tail -1 /var/log/snort/snort_em1.536159/alert
02/27/18-17:46:12.794270 ,119,33,1,"(http_inspect) UNESCAPED SPACE IN HTTP URI",TCP,192.168.5.20,21103,192.168.4.2,3128,0,Unknown Traffic,3
[2.4.2-RELEASE][admin@pf]/root: tail -1 /var/log/snort/snort_pppoe064290/alert
02/27/18-17:20:05.848441 ,140,26,1,"(spp_sip) Method is unknown",UDP,51.15.208.144,5102,69.157.137.159,5060,48979,Potentially Bad Traffic,2
Here is my filebeat.yml config:
#------------------------- File prospectors --------------------------------
filebeat.prospectors:
- input_type: log
paths:
- /var/log/snort/*/alert
tags: ["snort_ips"]
fields_under_root: true
fields:
type: "snort"
document_type: snort
#----------------------------- Logstash output --------------------------------
output.logstash:
hosts: ["192.168.4.10:5000"]
#---------------------------- filebeat logging -------------------------------
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat.log
keepfiles: 7
For an unknown reason only the /var/log/snort/snort_em1.536159/alert file seems to be scan by the filebeat agent. On my remote logstash destination and in kibana I can't see any events from the pppoe interface and the filebeat logs do not see any mention of an event seen in the snort's pppoe interface...
Any idea?
Thanks!