Filebeat Sonicwall module - dissect_parsing_error

PhilA · October 20, 2020, 3:20pm

I have attempted to enable the SonicWall Filebeat module but it doesn't seem to support our logs fully.

I am running v7.9.2 and looked at enabling this through ingest manager in the Kibana GUI but that doesn't seem to be ready so have enabled the module on Filebeat. Data is coming in but most entries are getting tagged with dissect_parsing_error.

The result seems different depending on the original log message and what values it contains but I don't understand the pipeline files well enough to debug. If someone could point me at what to look at I will happily try to diagnose.

It looks like a lot of it is working and many of the fields are populated but how many depends on the original message. Some will get the source details extracted (source.ip, source.port, etc.) but fail to get the destination details. Others get no IP information and others get all.

Is there a way of determining what part of the log caused the dissect_parsing_error and where int he pipeline.js file that issue was?

pierhugues · October 21, 2020, 3:03pm

Are you using the Elastic Agent or filebeat to collect the logs?

PhilA · October 21, 2020, 3:05pm

Filebeat. I tried Elastic Agent but not a lot seemed to happen but that may be me. The documentation on configuring Elastic Agents seems minimal

I'll try that again and see if I can get it working with Elastic Agent and see if the result is different.

I will do some more testing and update.

pierhugues · October 21, 2020, 3:16pm

If you tried with Filebeat this look like a module issue. I will move this to the beats board.

system · November 18, 2020, 5:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.