Filebeat Syslog no listening port

Good morning,

Configuration:
Ubuntu version 22
Filebeat version 8.8.1
Aucun message d'erreur au lancement de Filebeat

After hours of searching and testing, I can't find why Filebeat isn't listening on the ports I tell it to in the config.

Here is my /etc/filebeat/filebeat.yml file:
I tested several configurations with different ports but nothing the port is not listening with a netstat -tuln | grep 9005 or lsof -i:9000
Of course the port test from another post in telnet IP 9005 or 9000 does not work

============================== Filebeat inputs ===============================

filebeat.inputs:

  • type: syslog
    format: rfc3164
    protocol.udp:
    host: "0.0.0.0:9005"

  • type: syslog
    format: rfc5424
    protocol.tcp:
    host: "localhost:9000"

I don't understand start doing to make him listen on a port.

Pity help me :slight_smile:

Thank you in advance for your help

Please share your entire filebeat.yml using the prefromatted text option, the </> button, does not share configurations as plain text.

What do you have in filebeat logs? You need to check filebeat logs.

Also, It is not possible to know if the indentation of your configuration is correct or not, check the indentation, it needs to be like the example.

Thanks for answer.

# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:9005"

- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:54321"

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false
# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
#####LOG Filebeat######
logging:
  level: info
  to_files: true
  files:
    path: /etc/filebeat/logging
    name: filebeat.log
    keepfiles: 7

Logging Filebeat
Error it is have not configure my logstash but for this test i want just open port fort test

{"log.level":"info","@timestamp":"2023-06-27T16:05:56.955+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:56.955+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 2d7b1168-d00a-4b51-9620-9677fc957e85","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:05:59.957+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": dial tcp 169.254.169.254:80: i/o timeout (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.958+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.959+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"2d7b1168-d00a-4b51-9620-9677fc957e85"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.959+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.959+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.960+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-26T15:20:28+02:00","containerized":false,"name":"exo-ldp-01","ip":["127.0.0.1","::1","10.6.35.67","fe80::250:56ff:fea8:1257"],"kernel_version":"5.15.0-75-generic","mac":["00:50:56:a8:12:57"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.2 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":2,"codename":"jammy"},"timezone":"CEST","timezone_offset_sec":7200,"id":"7a96be1e9f454b23a092165d655500ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.960+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":38813,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-27T16:05:56.140+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.960+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.961+0200","log.origin":{"file.name":"instance/beat.go","file.line":365},"message":"no outputs are defined, please define one under the output section","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:05:59.961+0200","log.origin":{"file.name":"instance/beat.go","file.line":472},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:05:59.964+0200","log.origin":{"file.name":"instance/beat.go","file.line":1274},"message":"Exiting: no outputs are defined, please define one under the output section","service.name":"filebeat","ecs.version":"1.6.0"}

Well, that is the issue then. Filebeat needs an input and an output, if you do not configure an output it will not start.

This is what your error is saying:

Exiting: no outputs are defined, please define one under the output section

Thanks for answere

I had already tested before posting my message.
Here are the logs with the valid logstash configuration:
the service start but not lisening
log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
Telnet 9005 or 54321 since another computer nothing.

tesr{"log.level":"info","@timestamp":"2023-06-27T16:13:30.010+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:30.010+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 2d7b1168-d00a-4b51-9620-9677fc957e85","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.011+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.013+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.013+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"2d7b1168-d00a-4b51-9620-9677fc957e85"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.013+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.014+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.014+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-26T15:20:28+02:00","containerized":false,"name":"jrambo-ldp-01","ip":["127.0.0.1","::1","10.6.35.67","fe80::250:56ff:fea8:1257"],"kernel_version":"5.15.0-75-generic","mac":["00:50:56:a8:12:57"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.2 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":2,"codename":"jammy"},"timezone":"CEST","timezone_offset_sec":7200,"id":"7a96be1e9f454b23a092165d655500ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.015+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":39645,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-27T16:13:29.180+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.015+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.019+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.019+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: jrambo-ldp-01","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.019+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.019+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:13:33.020+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 13082177524297232748)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 5155010001678588112)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.021+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.022+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.022+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:33.022+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:13:36.015+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:14:03.025+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":35397632}}}},"cpu":{"system":{"ticks":20,"time":{"ms":20}},"total":{"ticks":110,"time":{"ms":110},"value":110},"user":{"ticks":90,"time":{"ms":90}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":13},"info":{"ephemeral_id":"0ec76ec0-b1d2-407a-b448-6da30178c4bb","name":"filebeat","uptime":{"ms":33069},"version":"8.8.1"},"memstats":{"gc_next":19009704,"memory_alloc":12574992,"memory_sys":37336328,"memory_total":51687720,"rss":89526272},"runtime":{"goroutines":32}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1,"scans":2},"output":{"events":{"active":0},"type":"logstash"},"pipeline":{"clients":2,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0.05,"15":0.04,"5":0.07,"norm":{"1":0.025,"15":0.02,"5":0.035}}}},"ecs.version":"1.6.0"}}

The log if active module system.yml
sending logs works but still no syslog reception on ports 9005 or 54321 because the ports are not listening

{"log.level":"info","@timestamp":"2023-06-27T16:30:03.254+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:03.254+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 2d7b1168-d00a-4b51-9620-9677fc957e85","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.255+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"2d7b1168-d00a-4b51-9620-9677fc957e85"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.257+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.258+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-26T15:20:28+02:00","containerized":false,"name":"jrambo-ldp-01","ip":["127.0.0.1","::1","10.6.35.67","fe80::250:56ff:fea8:1257"],"kernel_version":"5.15.0-75-generic","mac":["00:50:56:a8:12:57"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.2 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":2,"codename":"jammy"},"timezone":"CEST","timezone_offset_sec":7200,"id":"7a96be1e9f454b23a092165d655500ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.259+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":39690,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-27T16:30:02.420+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.259+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.262+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: jrambo-ldp-01","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.263+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-27T16:30:06.264+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.264+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 13082177524297232748)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 5155010001678588112)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.263+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.265+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.266+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:06.266+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:09.256+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:16.268+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:16.270+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:26.272+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:26.272+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:36.271+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":34181120}}}},"cpu":{"system":{"ticks":30,"time":{"ms":30}},"total":{"ticks":110,"time":{"ms":110},"value":110},"user":{"ticks":80,"time":{"ms":80}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":13},"info":{"ephemeral_id":"cb366e6f-b232-4dc4-8302-3f81468e4c2b","name":"filebeat","uptime":{"ms":33071},"version":"8.8.1"},"memstats":{"gc_next":19222328,"memory_alloc":12832592,"memory_sys":33142024,"memory_total":51802136,"rss":90779648},"runtime":{"goroutines":32}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":2,"scans":2},"output":{"events":{"active":0},"type":"logstash"},"pipeline":{"clients":2,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:30:36.273+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:36.273+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:46.275+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:46.275+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:30:56.277+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:30:56.277+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-27T16:31:06.271+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":34144256}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":130,"time":{"ms":20},"value":130},"user":{"ticks":100,"time":{"ms":20}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":13},"info":{"ephemeral_id":"cb366e6f-b232-4dc4-8302-3f81468e4c2b","uptime":{"ms":63070},"version":"8.8.1"},"memstats":{"gc_next":19222328,"memory_alloc":13381616,"memory_total":52351160,"rss":90779648},"runtime":{"goroutines":32}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":3,"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-27T16:31:06.279+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-06-27T16:31:06.279+0200","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}

I have test with debian 12.
When active system.yml no send log in logstash.
The same setup in ubuntu it is ok ....

On the other hand the ports are listening!

deb:/etc/filebeat# lsof -i :9005
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
filebeat 1305 root   17u  IPv6  17789      0t0  UDP *:9005
deb:/etc/filebeat# lsof -i :54321
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
filebeat 1305 root   18u  IPv4  17792      0t0  TCP localhost:54321 (LISTEN)

Configuration filebeat.yml


# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:9005"
  enabled: true

- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:54321"
  enabled: true


# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================



fields_under_root: true
fields:
  X-TOKEN: 'XXXXX'



# ------------------------------ Logstash Output -------------------------------


output.logstash:
# Boolean flag to enable or disable the output module.
  enabled: true

  # The Logstash hosts
  hosts: ["XXXXXX.com:5044"]

  # Set gzip compression level.
  compression_level: 3

  # Enable SSL support. SSL is automatically enabled if any SSL setting is set.
  ssl.enabled: true





# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

#####LOG Filebeat######
logging:
  level: info
  to_files: true
  files:
    path: /etc/filebeat/logging
    name: filebeat.log
    keepfiles: 7

Log file

{"log.level":"info","@timestamp":"2023-06-29T10:39:50.432+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:50.432+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 1108acb7-4b47-487e-a924-7f04e272e3ff","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.433+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"1108acb7-4b47-487e-a924-7f04e272e3ff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.435+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.436+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-06-29T09:33:47+02:00","containerized":false,"name":"test-deb","ip":["127.0.0.1","::1","10.6.35.68","fe80::250:56ff:fea8:8416"],"kernel_version":"6.1.0-9-amd64","mac":["00:50:56:a8:84:16"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"12 (bookworm)","major":12,"minor":0,"patch":0,"codename":"bookworm"},"timezone":"CEST","timezone_offset_sec":7200,"id":"885580aaa71546aea516421625084140"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.437+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":1541,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-06-29T10:39:49.890+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.437+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.440+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: test-deb","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.441+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.441+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.442+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=14","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.445+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=14","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:39:53.445+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 14210727748829489439)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.enabled filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 3977198494186340515)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.446+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.447+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:53.447+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:39:56.434+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.449+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: fortinet (firewall)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"input.udp","log.origin":{"file.name":"compat/compat.go","file.line":120},"message":"Input 'udp' starting","service.name":"filebeat","id":"43FD4028AD7F7530","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"input.udp","log.origin":{"file.name":"udp/input.go","file.line":106},"message":"starting udp socket input","service.name":"filebeat","id":"43FD4028AD7F7530","host":"localhost:9004","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"metric_registry","log.origin":{"file.name":"inputmon/input.go","file.line":53},"message":"registering","service.name":"filebeat","input_type":"udp","id":"43FD4028AD7F7530","key":"43FD4028AD7F7530","uuid":"846cf4c6-ba18-4eb3-8db6-73a8fa463afe","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.451+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":72},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:40:03.452+0200","log.logger":"input.udp","log.origin":{"file.name":"udp/input.go","file.line":249},"message":"failed to parse IPv6 addrs for metric collection [\"0:232c\" \"0:232c\"]","service.name":"filebeat","id":"43FD4028AD7F7530","host":"localhost:9004","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.452+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: system (syslog), system (auth)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-06-29T10:40:03.453+0200","log.logger":"cfgwarn","log.origin":{"file.name":"log/input.go","file.line":90},"message":"DEPRECATED: Log input. Use Filestream input instead.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.453+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/messages* /var/log/syslog*]","service.name":"filebeat","input_id":"920238b6-3cbb-4ca8-a574-4d00ab43d0fa","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:03.454+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/auth.log* /var/log/secure*]","service.name":"filebeat","input_id":"44a444c8-abbc-484e-ba13-db23aaa76774","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-06-29T10:40:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":35409920}}}},"cpu":{"system":{"ticks":20,"time":{"ms":20}},"total":{"ticks":100,"time":{"ms":100},"value":100},"user":{"ticks":80,"time":{"ms":80}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","name":"filebeat","uptime":{"ms":33061},"version":"8.8.1"},"memstats":{"gc_next":18294392,"memory_alloc":13522840,"memory_sys":33142024,"memory_total":52572952,"rss":89825280},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2,"starts":2},"reloads":1,"scans":2},"output":{"events":{"active":0},"type":"logstash"},"pipeline":{"clients":5,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0.01,"15":0,"5":0,"norm":{"1":0.005,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:40:53.446+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":43003904}}}},"cpu":{"system":{"ticks":30,"time":{"ms":10}},"total":{"ticks":110,"time":{"ms":10},"value":110},"user":{"ticks":80}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":63062},"version":"8.8.1"},"memstats":{"gc_next":18294392,"memory_alloc":13777632,"memory_total":52827744,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:41:23.446+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42881024}}}},"cpu":{"system":{"ticks":40,"time":{"ms":10}},"total":{"ticks":130,"time":{"ms":20},"value":130},"user":{"ticks":90,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":93064},"version":"8.8.1"},"memstats":{"gc_next":18294392,"memory_alloc":14199104,"memory_total":53249216,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:41:53.449+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42885120}}}},"cpu":{"system":{"ticks":40},"total":{"ticks":140,"time":{"ms":10},"value":140},"user":{"ticks":100,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":123062},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9004840,"memory_total":53562616,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:42:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42917888}}}},"cpu":{"system":{"ticks":40},"total":{"ticks":160,"time":{"ms":20},"value":160},"user":{"ticks":120,"time":{"ms":20}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":153063},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9275344,"memory_total":53833120,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:42:53.446+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":43180032}}}},"cpu":{"system":{"ticks":40},"total":{"ticks":160,"value":160},"user":{"ticks":120}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":183064},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9537216,"memory_total":54094992,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:43:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":42938368}}}},"cpu":{"system":{"ticks":50,"time":{"ms":10}},"total":{"ticks":170,"time":{"ms":10},"value":170},"user":{"ticks":120}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":213061},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":9852680,"memory_total":54410456,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:43:53.444+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":43200512}}}},"cpu":{"system":{"ticks":60,"time":{"ms":10}},"total":{"ticks":190,"time":{"ms":20},"value":190},"user":{"ticks":130,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":243061},"version":"8.8.1"},"memstats":{"gc_next":18636856,"memory_alloc":10000120,"memory_total":54557896,"rss":97157120},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-06-29T10:44:23.445+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":40087552}}}},"cpu":{"system":{"ticks":60},"total":{"ticks":200,"time":{"ms":10},"value":200},"user":{"ticks":140,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":14},"info":{"ephemeral_id":"00bb1159-ecb4-4478-a222-70a40aa1ac7a","uptime":{"ms":273064},"version":"8.8.1"},"memstats":{"gc_next":18118968,"memory_alloc":8923008,"memory_total":54942704,"rss":93691904},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}

Do you need a particular linux distribution?

Thank you in advance for your help.

No, it should work since it also works on Ubuntu.

I see no issues on your logfile, how does your system.yml looks like?

Thank you for helping me.

Configuration system.yml in ubuntu

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Configuration system.yml in Debian

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

I don't see why there is a difference in behavior. Ubuntu allows logs to be sent with the system.yml module but does not allow listening to ports 5009 and 54321 for the syslog.

On the Debian side, no sending with the system.yml module which is identical to that of ubuntu. But ports 9005 and 54321 are listening for the syslog (but the modules do not work and therefore the fortinet.yml module also).

Thanks again in advance for your help.

Good morning,

I also did a test in filebeat version 7.12.1 and 8.8.2 but same errors.

Help me, Obi-Wan Kenobi. You're my only hope...

version 7.12.1 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

Hello,

It is a little confusing since you are sharing things from two operating systems and it is not clear what is from where and what is not working.

You need to explain how the configurations looks like in each system and what is not working in each system.

I will suggest that you first share from just one operating system and try to fix it, trying to fix two issues at the same time will probably lead to confusion.

Please share the filebeat.yml that you are using on your Debian system, and the logs from filebeat when you start it.

Hello, thank you for your accompaniement.

Configuration:
Debian version 12
Filebeat version 8.8.2

File /etc/filebeat/filebeat.yml

###################### Filebeat Configuration Example #########################

#=========================== Filebeat inputs =============================

filebeat.inputs:


- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:9005"
  enabled: true

- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:54321"
  enabled: true

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /etc/filebeat/log/*.log



#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: /etc/filebeat/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  reload.period: 10s

#================================ General =====================================


fields_under_root: true
fields:
  X-XXX-TOKEN: 'XXXXXXXX'

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#----------------------------- Logstash output --------------------------------
output.logstash:
  # Boolean flag to enable or disable the output module.
  enabled: true

  # The Logstash hosts
  hosts: ["graX.logs.XXXX.com:5044"]

  # Set gzip compression level.
  compression_level: 3

  # Enable SSL support. SSL is automatically enabled if any SSL setting is set.
  ssl.enabled: true



#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

#================================ Logging =====================================




logging:
  level: info
  to_files: true
  files:
    path: /etc/filebeat/logging
    name: filebeat.log
    keepfiles: 7


File /etc/filebeat/log/test2.log


2023-07-04T15:20:45.123Z [DEBUG] - Processing request: GET /api/users/123
2023-07-04T15:20:45.456Z [INFO] - User 'john.doe' successfully authenticated.
2023-07-04T15:20:46.789Z [ERROR] - An error occurred while processing the request: 500 Internal Server Error
2023-07-04T15:20:47.987Z [WARNING] - Disk space usage exceeds 90%.

File modules.d/system.yml

# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.8/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Log after start filebeat

{"log.level":"info","@timestamp":"2023-07-04T16:33:23.476+0200","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:23.476+0200","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 31d34688-836e-43ca-96ed-ec56e5971a90","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.478+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"31d34688-836e-43ca-96ed-ec56e5971a90"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"7ba375a8778fe6c1a61376a6c015e8cea71caf21","libbeat":"8.8.1","time":"2023-06-05T20:27:02.000Z","version":"8.8.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.479+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.19.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.480+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-07-03T11:12:47+02:00","containerized":false,"name":"test-ovh-deb","ip":["127.0.0.1","::1","10.6.35.68","fe80::250:56ff:fea8:8416"],"kernel_version":"6.1.0-9-amd64","mac":["00:50:56:a8:84:16"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"12 (bookworm)","major":12,"minor":0,"patch":0,"codename":"bookworm"},"timezone":"CEST","timezone_offset_sec":7200,"id":"885580aaa71546aea516421625084140"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.480+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":2532,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-07-04T16:33:22.460+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.480+0200","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.8.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.484+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.484+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: test-ovh-deb","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.484+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.484+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":175},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.485+0200","log.origin":{"file.name":"instance/beat.go","file.line":516},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.485+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.485+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.488+0200","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.489+0200","log.origin":{"file.name":"beater/filebeat.go","file.line":307},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 14210727748829489439)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.489+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.1.enabled filebeat.inputs.1.format filebeat.inputs.1.protocol.tcp.host filebeat.inputs.1.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 3977198494186340515)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.2.enabled filebeat.inputs.2.paths.0 filebeat.inputs.2.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"cfgwarn","log.origin":{"file.name":"log/input.go","file.line":90},"message":"DEPRECATED: Log input. Use Filestream input instead.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/etc/filebeat/log/*.log]","service.name":"filebeat","input_id":"86c4c82f-241d-4e2f-8d0d-91bb4b6cd77a","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 5087069951478327760)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.490+0200","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.491+0200","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":148},"message":"Starting Syslog input","service.name":"filebeat","protocol":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.491+0200","log.origin":{"file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:26.491+0200","log.logger":"input.harvester","log.origin":{"file.name":"log/harvester.go","file.line":311},"message":"Harvester started for paths: [/etc/filebeat/log/*.log]","service.name":"filebeat","input_id":"86c4c82f-241d-4e2f-8d0d-91bb4b6cd77a","source_file":"/etc/filebeat/log/test2.log","state_id":"native::2360381-2049","finished":false,"os_id":"2360381-2049","harvester_id":"4e83b194-7416-4d35-a3f3-b6bb0d55c3e4","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:29.481+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:30.481+0200","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":137},"message":"Connecting to backoff(async(tcp://gra2.logs.ovh.com:5044))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:30.569+0200","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":145},"message":"Connection to backoff(async(tcp://gra2.logs.ovh.com:5044)) established","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:36.494+0200","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: system (syslog), system (auth)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:36.496+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/messages* /var/log/syslog*]","service.name":"filebeat","input_id":"556a595d-515e-4c12-aae3-c198a3aa67ef","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:36.497+0200","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":174},"message":"Configured paths: [/var/log/auth.log* /var/log/secure*]","service.name":"filebeat","input_id":"6f49a0ee-cf4e-4484-a19a-3af4db4158cb","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-07-04T16:33:56.490+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":40390656}}}},"cpu":{"system":{"ticks":30,"time":{"ms":30}},"total":{"ticks":150,"time":{"ms":150},"value":150},"user":{"ticks":120,"time":{"ms":120}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"39bbe4d5-b3bc-4931-8a57-eafa8a04774b","name":"filebeat","uptime":{"ms":33063},"version":"8.8.1"},"memstats":{"gc_next":21222296,"memory_alloc":10836544,"memory_sys":37336328,"memory_total":57509240,"rss":97402880},"runtime":{"goroutines":52}},"filebeat":{"events":{"active":0,"added":7,"done":7},"harvester":{"open_files":1,"running":1,"started":1}},"libbeat":{"config":{"module":{"running":1,"starts":1},"reloads":1,"scans":2},"output":{"events":{"acked":4,"active":0,"batches":1,"total":4},"read":{"bytes":6390},"type":"logstash","write":{"bytes":1299}},"pipeline":{"clients":5,"events":{"active":0,"filtered":3,"published":4,"retry":4,"total":7},"queue":{"acked":4,"max_events":4096}}},"registrar":{"states":{"cleanup":1,"current":1,"update":7},"writes":{"success":2,"total":2}},"system":{"cpu":{"cores":2},"load":{"1":0.04,"15":0.01,"5":0.03,"norm":{"1":0.02,"15":0.005,"5":0.015}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-07-04T16:34:26.491+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":49864704}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":160,"time":{"ms":10},"value":160},"user":{"ticks":130,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"39bbe4d5-b3bc-4931-8a57-eafa8a04774b","uptime":{"ms":63064},"version":"8.8.1"},"memstats":{"gc_next":21222296,"memory_alloc":11166152,"memory_total":57838848,"rss":106799104},"runtime":{"goroutines":52}},"filebeat":{"events":{"active":0},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1},"scans":3},"output":{"events":{"active":0}},"pipeline":{"clients":5,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":0.02,"15":0,"5":0.03,"norm":{"1":0.01,"15":0,"5":0.015}}}},"ecs.version":"1.6.0"}}

Sending logs to /etc/filebeat/log/test2.log works.
Sending system logs via the system.yml module does not work.
The same configuration under ubuntu works.

Thank you again in advance for your future help.

The system syslog module looks at /var/log/messages* or /var/log/syslog* and the auth module looks at /var/log/secure or /var/log/auth.log*

Do you have any of those files in your Debian? It looks like that Debian 12 does not install rsyslog per default, so without rsyslog you will not have any of those files.

Thank you.
The command apt-get install rsyslog allows to run the system.yml module.

Now that I'm sure the modules are working I have to activate the fortinet.yml module in order to retrieve the logs on port 9005 and send them to the logstash.

Listening on port 9005 works

deb:/etc/filebeat# lsof -i :9005
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
filebeat 1305 root   17u  IPv6  17789      0t0  UDP *:9005

When I listen from Debian to the port on which my fortigate is sent tcpdump -n -e -i enp11s0 host 10.1.1.78 I have traffic.

09:19:32.730480 00:09:0f:09:00:06 > 00:50:56:a8:84:16, ethertype IPv4 (0x0800), length 74: 10.1.1.78.7106 > 10.1.1.68.9005: Flags [S], seq 223742045, win 65535, options [mss 1460,sackOK,TS val 180038104 ecr 0,nop,wscale 11], length 0
09:19:32.730497 00:50:56:a8:84:16 > 00:09:0f:09:00:06, ethertype IPv4 (0x0800), length 54: 10.1.1.68.9005 > 10.1.1.78.7106: Flags [R.], seq 0, ack 223742046, win 0, length 0

Unfortunately I don't understand why the stream is not sent to the logstash.

Thank you again for your help.

After having also modified the file format, it works.

config log syslogd setting

    set status enable

    set server "IPduServeurQuiVaReceptionnerLesLog"

    set mode udp

    set port 9005

    set source-ip ''

    set format default

end

Thank you very much leandrojmp.

For ubuntu 22 it is functional with filebeat 8.2.2 !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.