Filebeat Syslog no listening port

mc.gyver.reboot · June 27, 2023, 10:07am

Good morning,

Configuration:
Ubuntu version 22
Filebeat version 8.8.1
Aucun message d'erreur au lancement de Filebeat

After hours of searching and testing, I can't find why Filebeat isn't listening on the ports I tell it to in the config.

Here is my /etc/filebeat/filebeat.yml file:
I tested several configurations with different ports but nothing the port is not listening with a netstat -tuln | grep 9005 or lsof -i:9000
Of course the port test from another post in telnet IP 9005 or 9000 does not work

============================== Filebeat inputs ===============================

filebeat.inputs:

type: syslog
format: rfc3164
protocol.udp:
host: "0.0.0.0:9005"
type: syslog
format: rfc5424
protocol.tcp:
host: "localhost:9000"

I don't understand start doing to make him listen on a port.

Pity help me

Thank you in advance for your help

leandrojmp · June 27, 2023, 12:35pm

Please share your entire filebeat.yml using the prefromatted text option, the </> button, does not share configurations as plain text.

What do you have in filebeat logs? You need to check filebeat logs.

Also, It is not possible to know if the indentation of your configuration is correct or not, check the indentation, it needs to be like the example.

mc.gyver.reboot · June 27, 2023, 2:02pm

Thanks for answer.

# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:9005"

- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:54321"

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false
# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
#####LOG Filebeat######
logging:
  level: info
  to_files: true
  files:
    path: /etc/filebeat/logging
    name: filebeat.log
    keepfiles: 7

Logging Filebeat
Error it is have not configure my logstash but for this test i want just open port fort test

{"log.level":"info","@timestamp":"2023-06-27T16:05:56.955+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:56.955+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 2d7b1168-d00a-4b51-9620-9677fc957e85","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:05:59.957+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": dial tcp 169.254.169.254:80: i/o timeout (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.958+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.959+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"2d7b1168-d00a-4b51-9620-9677fc957e85"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.959+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.959+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.960+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-26T15:20:28+02:00","containerized":false,"name":"exo-ldp-01","ip":["127.0.0.1","::1","10.6.35.67","fe80::250:56ff:fea8:1257"],"kernel_version":"5.15.0-75-generic","mac":["00:50:56:a8:12:57"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.2 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":2,"codename":"jammy"},"timezone":"CEST","timezone_offset_sec":7200,"id":"7a96be1e9f454b23a092165d655500ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.960+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":38813,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-27T16:05:56.140+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.960+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.961+0200","log.origin":{"file.name":"instance/beat.go","file.line":365},"message":"no outputs are defined, please define one under the output section","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.961+0200","log.origin":{"file.name":"instance/beat.go","file.line":472},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:05:59.964+0200","log.origin":{"file.name":"instance/beat.go","file.line":1274},"message":"Exiting: no outputs are defined, please define one under the output section","service.name":"filebeat","ecs.version":"1.6.0"}

leandrojmp · June 27, 2023, 2:19pm

Well, that is the issue then. Filebeat needs an input and an output, if you do not configure an output it will not start.

This is what your error is saying:

Exiting: no outputs are defined, please define one under the output section

mc.gyver.reboot · June 27, 2023, 2:23pm

Thanks for answere

I had already tested before posting my message.
Here are the logs with the valid logstash configuration:
the service start but not lisening
log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
Telnet 9005 or 54321 since another computer nothing.

tesr{"log.level":"info","@timestamp":"2023-06-27T16:13:30.010+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:30.010+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 2d7b1168-d00a-4b51-9620-9677fc957e85","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.011+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.013+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.013+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"2d7b1168-d00a-4b51-9620-9677fc957e85"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.013+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.014+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.014+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-26T15:20:28+02:00","containerized":false,"name":"jrambo-ldp-01","ip":["127.0.0.1","::1","10.6.35.67","fe80::250:56ff:fea8:1257"],"kernel_version":"5.15.0-75-generic","mac":["00:50:56:a8:12:57"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.2 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":2,"codename":"jammy"},"timezone":"CEST","timezone_offset_sec":7200,"id":"7a96be1e9f454b23a092165d655500ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.015+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":39645,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-27T16:13:29.180+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.015+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.019+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.019+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: jrambo-ldp-01","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.019+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.019+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 13082177524297232748)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 5155010001678588112)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.022+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.022+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.022+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:36.015+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:14:03.025+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":35397632}}}},"cpu":{"system":{"ticks":20,"time":{"ms":20}},"total":{"ticks":110,"time":{"ms":110},"value":110},"user":{"ticks":90,"time":{"ms":90}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":13},"info":{"ephemeral_id":"0ec76ec0-b1d2-407a-b448-6da30178c4bb","name":"filebeat","uptime":{"ms":33069},"version":"8.8.1"},"memstats":{"gc_next":19009704,"memory_alloc":12574992,"memory_sys":37336328,"memory_total":51687720,"rss":89526272},"runtime":{"goroutines":32}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1,"scans":2},"output":{"events":{"active":0},"type":"logstash"},"pipeline":{"clients":2,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0.05,"15":0.04,"5":0.07,"norm":{"1":0.025,"15":0.02,"5":0.035}}}},"ecs.version":"1.6.0"}}

The log if active module system.yml
sending logs works but still no syslog reception on ports 9005 or 54321 because the ports are not listening

{"log.level":"info","@timestamp":"2023-06-27T16:30:03.254+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:03.254+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 2d7b1168-d00a-4b51-9620-9677fc957e85","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.255+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"2d7b1168-d00a-4b51-9620-9677fc957e85"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.258+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-26T15:20:28+02:00","containerized":false,"name":"jrambo-ldp-01","ip":["127.0.0.1","::1","10.6.35.67","fe80::250:56ff:fea8:1257"],"kernel_version":"5.15.0-75-generic","mac":["00:50:56:a8:12:57"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.2 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":2,"codename":"jammy"},"timezone":"CEST","timezone_offset_sec":7200,"id":"7a96be1e9f454b23a092165d655500ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.259+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":39690,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-27T16:30:02.420+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.259+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.262+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: jrambo-ldp-01","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.263+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.264+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 13082177524297232748)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 5155010001678588112)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.266+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.266+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:09.256+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:16.268+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:16.270+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:26.272+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:26.272+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:36.271+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":34181120}}}},"cpu":{"system":{"ticks":30,"time":{"ms":30}},"total":{"ticks":110,"time":{"ms":110},"value":110},"user":{"ticks":80,"time":{"ms":80}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":13},"info":{"ephemeral_id":"cb366e6f-b232-4dc4-8302-3f81468e4c2b","name":"filebeat","uptime":{"ms":33071},"version":"8.8.1"},"memstats":{"gc_next":19222328,"memory_alloc":12832592,"memory_sys":33142024,"memory_total":51802136,"rss":90779648},"runtime":{"goroutines":32}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":2,"scans":2},"output":{"events":{"active":0},"type":"logstash"},"pipeline":{"clients":2,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:36.273+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:36.273+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:46.275+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:46.275+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:56.277+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:56.277+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:31:06.271+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":34144256}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":130,"time":{"ms":20},"value":130},"user":{"ticks":100,"time":{"ms":20}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":13},"info":{"ephemeral_id":"cb366e6f-b232-4dc4-8302-3f81468e4c2b","uptime":{"ms":63070},"version":"8.8.1"},"memstats":{"gc_next":19222328,"memory_alloc":13381616,"memory_total":52351160,"rss":90779648},"runtime":{"goroutines":32}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":3,"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:31:06.279+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:31:06.279+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}

mc.gyver.reboot · June 29, 2023, 8:48am

I have test with debian 12.
When active system.yml no send log in logstash.
The same setup in ubuntu it is ok ....

On the other hand the ports are listening!

deb:/etc/filebeat# lsof -i :9005
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
filebeat 1305 root   17u  IPv6  17789      0t0  UDP *:9005
deb:/etc/filebeat# lsof -i :54321
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
filebeat 1305 root   18u  IPv4  17792      0t0  TCP localhost:54321 (LISTEN)

Configuration filebeat.yml


# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:9005"
  enabled: true

- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:54321"
  enabled: true


# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================



fields_under_root: true
fields:
  X-TOKEN: 'XXXXX'



# ------------------------------ Logstash Output -------------------------------


output.logstash:
# Boolean flag to enable or disable the output module.
  enabled: true

  # The Logstash hosts
  hosts: ["XXXXXX.com:5044"]

  # Set gzip compression level.
  compression_level: 3

  # Enable SSL support. SSL is automatically enabled if any SSL setting is set.
  ssl.enabled: true





# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

#####LOG Filebeat######
logging:
  level: info
  to_files: true
  files:
    path: /etc/filebeat/logging
    name: filebeat.log
    keepfiles: 7

Log file

{"log.level":"info","@timestamp":"2023-06-29T10:39:50.432+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:50.432+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 1108acb7-4b47-487e-a924-7f04e272e3ff","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.433+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"1108acb7-4b47-487e-a924-7f04e272e3ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.436+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-29T09:33:47+02:00","containerized":false,"name":"test-deb","ip":["127.0.0.1","::1","10.6.35.68","fe80::250:56ff:fea8:8416"],"kernel_version":"6.1.0-9-amd64","mac":["00:50:56:a8:84:16"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"12 (bookworm)","major":12,"minor":0,"patch":0,"codename":"bookworm"},"timezone":"CEST","timezone_offset_sec":7200,"id":"885580aaa71546aea516421625084140"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.437+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":1541,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-29T10:39:49.890+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.437+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.440+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: test-deb","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.441+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.442+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=14","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.445+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=14","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.445+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 14210727748829489439)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.enabled filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 3977198494186340515)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.447+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.447+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:56.434+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.449+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: fortinet (firewall)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"input.udp","log.origin":{"file.name":"compat/compat.go","file.line":120},"message":"Input 'udp' starting","service.name":"filebeat","id":"43FD4028AD7F7530","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"input.udp","log.origin":{"file.name":"udp/input.go","file.line":106},"message":"starting udp socket input","service.name":"filebeat","id":"43FD4028AD7F7530","host":"localhost:9004","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"metric_registry","log.origin":{"file.name":"inputmon/input.go","file.line":53},"message":"registering","service.name":"filebeat","input_type":"udp","id":"43FD4028AD7F7530","key":"43FD4028AD7F7530","uuid":"846cf4c6-ba18-4eb3-8db6-73a8fa463afe","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":72},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:40:03.452+0200","log.logger":"input.udp","log.origin":{"file.name":"udp/input.go","file.line":249},"message":"failed to parse IPv6 addrs for metric collection [\"0:232c\" \"0:232c\"]","service.name":"filebeat","id":"43FD4028AD7F7530","host":"localhost:9004","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.452+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: system (syslog), system (auth)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:40:03.453+0200","log.logger":"cfgwarn","log.origin":{"file.name":"log/input.go","file.line":90},"message":"DEPRECATED: Log input. Use Filestream input instead.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.453+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/messages* /var/log/syslog*]","service.name":"filebeat","input_id":"920238b6-3cbb-4ca8-a574-4d00ab43d0fa","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.454+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/auth.log* /var/log/secure*]","service.name":"filebeat","input_id":"44a444c8-abbc-484e-ba13-db23aaa76774","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":35409920}}}},"cpu":{"system":{"ticks":20,"time":{"ms":20}},"total":{"ticks":100,"time":{"ms":100},"value":100},"user":{"ticks":80,"time":{"ms":80}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","name":"filebeat","uptime":{"ms":33061},"version":"8.8.1"},"memstats":{"gc_next":18294392,"memory_alloc":13522840,"memory_sys":33142024,"memory_total":52572952,"rss":89825280},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2,"starts":2},"reloads":1,"scans":2},"output":{"events":{"active":0},"type":"logstash"},"pipeline":{"clients":5,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0.01,"15":0,"5":0,"norm":{"1":0.005,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:40:53.446+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":43003904}}}},"cpu":{"system":{"ticks":30,"time":{"ms":10}},"total":{"ticks":110,"time":{"ms":10},"value":110},"user":{"ticks":80}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":63062},"version":"8.8.1"},"memstats":{"gc_next":18294392,"memory_alloc":13777632,"memory_total":52827744,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:41:23.446+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42881024}}}},"cpu":{"system":{"ticks":40,"time":{"ms":10}},"total":{"ticks":130,"time":{"ms":20},"value":130},"user":{"ticks":90,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":93064},"version":"8.8.1"},"memstats":{"gc_next":18294392,"memory_alloc":14199104,"memory_total":53249216,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:41:53.449+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42885120}}}},"cpu":{"system":{"ticks":40},"total":{"ticks":140,"time":{"ms":10},"value":140},"user":{"ticks":100,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":123062},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9004840,"memory_total":53562616,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:42:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42917888}}}},"cpu":{"system":{"ticks":40},"total":{"ticks":160,"time":{"ms":20},"value":160},"user":{"ticks":120,"time":{"ms":20}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":153063},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9275344,"memory_total":53833120,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:42:53.446+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":43180032}}}},"cpu":{"system":{"ticks":40},"total":{"ticks":160,"value":160},"user":{"ticks":120}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":183064},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9537216,"memory_total":54094992,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:43:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42938368}}}},"cpu":{"system":{"ticks":50,"time":{"ms":10}},"total":{"ticks":170,"time":{"ms":10},"value":170},"user":{"ticks":120}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":213061},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9852680,"memory_total":54410456,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:43:53.444+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":43200512}}}},"cpu":{"system":{"ticks":60,"time":{"ms":10}},"total":{"ticks":190,"time":{"ms":20},"value":190},"user":{"ticks":130,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":243061},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":10000120,"memory_total":54557896,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:44:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":40087552}}}},"cpu":{"system":{"ticks":60},"total":{"ticks":200,"time":{"ms":10},"value":200},"user":{"ticks":140,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":273064},"version":"8.8.1"},"memstats":{"gc_next":18118968,"memory_alloc":8923008,"memory_total":54942704,"rss":93691904},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}

Do you need a particular linux distribution?

Thank you in advance for your help.

leandrojmp · June 29, 2023, 11:43am

No, it should work since it also works on Ubuntu.

I see no issues on your logfile, how does your system.yml looks like?

mc.gyver.reboot · June 29, 2023, 1:54pm

Thank you for helping me.

Configuration system.yml in ubuntu

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Configuration system.yml in Debian

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

I don't see why there is a difference in behavior. Ubuntu allows logs to be sent with the system.yml module but does not allow listening to ports 5009 and 54321 for the syslog.

On the Debian side, no sending with the system.yml module which is identical to that of ubuntu. But ports 9005 and 54321 are listening for the syslog (but the modules do not work and therefore the fortinet.yml module also).

Thanks again in advance for your help.

mc.gyver.reboot · July 4, 2023, 7:00am

Good morning,

I also did a test in filebeat version 7.12.1 and 8.8.2 but same errors.

Help me, Obi-Wan Kenobi. You're my only hope...

system · July 4, 2023, 7:00am

version 7.12.1 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

leandrojmp · July 4, 2023, 12:49pm

Hello,

It is a little confusing since you are sharing things from two operating systems and it is not clear what is from where and what is not working.

You need to explain how the configurations looks like in each system and what is not working in each system.

I will suggest that you first share from just one operating system and try to fix it, trying to fix two issues at the same time will probably lead to confusion.

Please share the filebeat.yml that you are using on your Debian system, and the logs from filebeat when you start it.

mc.gyver.reboot · July 4, 2023, 2:35pm

Hello, thank you for your accompaniement.

Configuration:
Debian version 12
Filebeat version 8.8.2

File /etc/filebeat/filebeat.yml

###################### Filebeat Configuration Example #########################

#=========================== Filebeat inputs =============================

filebeat.inputs:


- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:9005"
  enabled: true

- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:54321"
  enabled: true

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /etc/filebeat/log/*.log



#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: /etc/filebeat/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  reload.period: 10s

#================================ General =====================================


fields_under_root: true
fields:
  X-XXX-TOKEN: 'XXXXXXXX'

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#----------------------------- Logstash output --------------------------------
output.logstash:
  # Boolean flag to enable or disable the output module.
  enabled: true

  # The Logstash hosts
  hosts: ["graX.logs.XXXX.com:5044"]

  # Set gzip compression level.
  compression_level: 3

  # Enable SSL support. SSL is automatically enabled if any SSL setting is set.
  ssl.enabled: true



#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

#================================ Logging =====================================




logging:
  level: info
  to_files: true
  files:
    path: /etc/filebeat/logging
    name: filebeat.log
    keepfiles: 7

File /etc/filebeat/log/test2.log


2023-07-04T15:20:45.123Z [DEBUG] - Processing request: GET /api/users/123
2023-07-04T15:20:45.456Z [INFO] - User 'john.doe' successfully authenticated.
2023-07-04T15:20:46.789Z [ERROR] - An error occurred while processing the request: 500 Internal Server Error
2023-07-04T15:20:47.987Z [WARNING] - Disk space usage exceeds 90%.

File modules.d/system.yml

# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.8/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Log after start filebeat

{"log.level":"info","@timestamp":"2023-07-04T16:33:23.476+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:23.476+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 31d34688-836e-43ca-96ed-ec56e5971a90","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.478+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"31d34688-836e-43ca-96ed-ec56e5971a90"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.480+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-07-03T11:12:47+02:00","containerized":false,"name":"test-ovh-deb","ip":["127.0.0.1","::1","10.6.35.68","fe80::250:56ff:fea8:8416"],"kernel_version":"6.1.0-9-amd64","mac":["00:50:56:a8:84:16"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"12 (bookworm)","major":12,"minor":0,"patch":0,"codename":"bookworm"},"timezone":"CEST","timezone_offset_sec":7200,"id":"885580aaa71546aea516421625084140"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.480+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":2532,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-07-04T16:33:22.460+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.480+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.484+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.484+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: test-ovh-deb","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.484+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.484+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.485+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.485+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.485+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.488+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.489+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 14210727748829489439)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.enabled filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 3977198494186340515)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.2.enabled filebeat.inputs.2.paths.0 filebeat.inputs.2.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"cfgwarn","log.origin":{"file.name":"log/input.go","file.line":90},"message":"DEPRECATED: Log input. Use Filestream input instead.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/etc/filebeat/log/*.log]","service.name":"filebeat","input_id":"86c4c82f-241d-4e2f-8d0d-91bb4b6cd77a","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 5087069951478327760)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.491+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.491+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.491+0200","log.logger":"input.harvester","log.origin":{"file.name":"log/harvester.go","file.line":311},"message":"Harvester started for paths: [/etc/filebeat/log/*.log]","service.name":"filebeat","input_id":"86c4c82f-241d-4e2f-8d0d-91bb4b6cd77a","source_file":"/etc/filebeat/log/test2.log","state_id":"native::2360381-2049","finished":false,"os_id":"2360381-2049","harvester_id":"4e83b194-7416-4d35-a3f3-b6bb0d55c3e4","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:29.481+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:30.481+0200","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":137},"message":"Connecting to backoff(async(tcp://gra2.logs.ovh.com:5044))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:30.569+0200","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":145},"message":"Connection to backoff(async(tcp://gra2.logs.ovh.com:5044)) established","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:36.494+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: system (syslog), system (auth)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:36.496+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/messages* /var/log/syslog*]","service.name":"filebeat","input_id":"556a595d-515e-4c12-aae3-c198a3aa67ef","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:36.497+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/auth.log* /var/log/secure*]","service.name":"filebeat","input_id":"6f49a0ee-cf4e-4484-a19a-3af4db4158cb","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:56.490+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":40390656}}}},"cpu":{"system":{"ticks":30,"time":{"ms":30}},"total":{"ticks":150,"time":{"ms":150},"value":150},"user":{"ticks":120,"time":{"ms":120}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"39bbe4d5-b3bc-4931-8a57-eafa8a04774b","name":"filebeat","uptime":{"ms":33063},"version":"8.8.1"},"memstats":{"gc_next":21222296,"memory_alloc":10836544,"memory_sys":37336328,"memory_total":57509240,"rss":97402880},"runtime":{"goroutines":52}},"filebeat":{"events":{"active":0,"added":7,"done":7},"harvester":{"open_files":1,"running":1,"started":1}},"libbeat":{"config":{"module":{"running":1,"starts":1},"reloads":1,"scans":2},"output":{"events":{"acked":4,"active":0,"batches":1,"total":4},"read":{"bytes":6390},"type":"logstash","write":{"bytes":1299}},"pipeline":{"clients":5,"events":{"active":0,"filtered":3,"published":4,"retry":4,"total":7},"queue":{"acked":4,"max_events":4096}}},"registrar":{"states":{"cleanup":1,"current":1,"update":7},"writes":{"success":2,"total":2}},"system":{"cpu":{"cores":2},"load":{"1":0.04,"15":0.01,"5":0.03,"norm":{"1":0.02,"15":0.005,"5":0.015}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:34:26.491+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":49864704}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":160,"time":{"ms":10},"value":160},"user":{"ticks":130,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"39bbe4d5-b3bc-4931-8a57-eafa8a04774b","uptime":{"ms":63064},"version":"8.8.1"},"memstats":{"gc_next":21222296,"memory_alloc":11166152,"memory_total":57838848,"rss":106799104},"runtime":{"goroutines":52}},"filebeat":{"events":{"active":0},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":0.02,"15":0,"5":0.03,"norm":{"1":0.01,"15":0,"5":0.015}}}},"ecs.version":"1.6.0"}}

Sending logs to /etc/filebeat/log/test2.log works.
Sending system logs via the system.yml module does not work.
The same configuration under ubuntu works.

Thank you again in advance for your future help.

leandrojmp · July 4, 2023, 3:05pm

The system syslog module looks at /var/log/messages* or /var/log/syslog* and the auth module looks at /var/log/secure or /var/log/auth.log*

Do you have any of those files in your Debian? It looks like that Debian 12 does not install rsyslog per default, so without rsyslog you will not have any of those files.

mc.gyver.reboot · July 5, 2023, 7:29am

Thank you.
The command apt-get install rsyslog allows to run the system.yml module.

Now that I'm sure the modules are working I have to activate the fortinet.yml module in order to retrieve the logs on port 9005 and send them to the logstash.

Listening on port 9005 works

deb:/etc/filebeat# lsof -i :9005
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
filebeat 1305 root   17u  IPv6  17789      0t0  UDP *:9005

When I listen from Debian to the port on which my fortigate is sent tcpdump -n -e -i enp11s0 host 10.1.1.78 I have traffic.

09:19:32.730480 00:09:0f:09:00:06 > 00:50:56:a8:84:16, ethertype IPv4 (0x0800), length 74: 10.1.1.78.7106 > 10.1.1.68.9005: Flags [S], seq 223742045, win 65535, options [mss 1460,sackOK,TS val 180038104 ecr 0,nop,wscale 11], length 0
09:19:32.730497 00:50:56:a8:84:16 > 00:09:0f:09:00:06, ethertype IPv4 (0x0800), length 54: 10.1.1.68.9005 > 10.1.1.78.7106: Flags [R.], seq 0, ack 223742046, win 0, length 0

Unfortunately I don't understand why the stream is not sent to the logstash.

Thank you again for your help.

mc.gyver.reboot · July 5, 2023, 7:55am

After having also modified the file format, it works.

config log syslogd setting

    set status enable

    set server "IPduServeurQuiVaReceptionnerLesLog"

    set mode udp

    set port 9005

    set source-ip ''

    set format default

end

Thank you very much leandrojmp.

mc.gyver.reboot · July 13, 2023, 2:35pm

For ubuntu 22 it is functional with filebeat 8.2.2 !

system · August 10, 2023, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Syslog isn't Opening Port Beats filebeat	5	1261	June 3, 2021
Cisco filebeat module not listening on port as configured Elasticsearch	19	546	October 3, 2023
Filebeat won't collect syslogs over network Beats filebeat	2	2159	July 12, 2019
Can't get filebeat to work properly on any port other than 9200 Beats	10	4182	September 27, 2017
Filebeat use default port instead of my port Beats filebeat	3	823	December 8, 2020

Filebeat Syslog no listening port

============================== Filebeat inputs ===============================

Related Topics