Filebeat w/ Iptables Module to Logstash to Elastic: Expected Fields Not Populated

Jarbird · January 28, 2022, 4:16pm

Hello: I'm pretty new at the ecosystem. I've learned a lot in the past few weeks however I think I've hit a roadblock where I can't seem to figure out why log lines are not being broken out into the expected fields and then having them populated. I have a few log types going in however I'd like to focus on iptables logs at this point.

For each of the ELK components I am running the official docker images of version 7.16.3. These are running in Docker version 20.10.11, build dea9396e184290f638ea873c76db7c80efd5a1d2.

I may be confused about something: My impression is that logstash is for taking the logs in from wherever, and it is then logstash that sends them to Elasticsearch. When reading the documents about filebeat and the iptables module, it talked bout sending these logs directly to Elasticsearch, but also noted one could send them to logstash. I decided to send them to logstash. Have I made a mistake?

The source of the logs in this case is using filebeat to pull in a few log files, and then I have configured my iptables rules to use the prefix "IPTABLES: " for logged traffic. I then use rsyslog to look for that text string and break iptables logs out into /var/log/iptables.log. I then enable the iptables filebeat module and configure it to look at /var/log/iptables.log.

This works fine, and the logs make it into Elasticsearch, and I can see them in kibana. However I notice the various fields that the filebeat iptables module is supposed to create and populate are not there. Instead each of the full log lines is placed into the "message" field. In any case I have been reading the documents for a long time and searching around for a solution (the later not working too well as I am not entirely sure what to search on) and figured it was time for help.

These are the configuration files involved. I am not sure how to create a "gist" yet, and I am concerned about pastebins expiring the text, so hopefully I won't cause too much annoyance by just putting it here. If I missed something please let me know!

FILE - LOGSTASH - logstash.yml:

http.host: "0.0.0.0"
# xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9200" ]
xpack.monitoring.elasticsearch.hosts: [ "http://172.17.0.2:9200" ]

FILE - LOGSTASH - logstash.conf:

input {
   beats {
    port => 5044
  }
}

# https://www.elastic.co/guide/en/logstash/current/plugins-inputs-syslog.html

input {
  syslog {
    port => 1514
    type => "syslog"
    }
}

input {
  tcp {
   port => 7000
   dns_reverse_lookup_enabled => "false"
   mode => "server"
   codec => "line"
   # Avoids host* field collisions which results in logs blocked from entering elasticsearch
   # https://discuss.elastic.co/t/problem-with-transfer-filebeat-6-1-3-logstash-6-1-3-elasticsearch-6-1-3/136264/3?u=badger
   # https://www.elastic.co/guide/en/logstash/current/plugins-inputs-tcp.html#plugins-inputs-tcp-ecs_compatibility
   # https://www.elastic.co/guide/en/ecs/current/ecs-host.html
   ecs_compatibility => "v8"
      }
}


# Last output block to elasticsearch, replaced by the one below in an attempt to get expected iptables filebeat module fields populated
# https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html
#output {
#    elasticsearch {
##        hosts => "172.17.0.2:9200"
#        hosts => "172.17.0.2"
#        data_stream => "true"
##	codec => "cef"
#        codec => "json_lines"
#    }


# attempt to get expected iptables filebeat module fields populated
# https://www.elastic.co/guide/en/logstash/7.0/use-ingest-pipelines.html

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://172.17.0.2:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
      pipeline => "%{[@metadata][pipeline]}" 
    }

  } else {

    elasticsearch {
      hosts => "http://172.17.0.2:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    }
   }
 }

FILE - LOGSTASH - pipelines.yml:

- pipeline.id: main
  path.config: "/usr/share/logstash/pipeline"

legoguy1000 · January 29, 2022, 2:16pm

Can u show ur filebeat config as well as a sample of the original log messages and then what's in Elasticsearch?

Jarbird · January 31, 2022, 12:18am

Hi! Thanks so much for responding. I feel silly for forgetting the filebeat configs. Is how I posted the configs up there okay or is there a less annoying (for helpers)?

FILE - FILEBEAT - filebeat.yml (all comments stripped):

filebeat.inputs:
- type: filestream
  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/dmesg
    - /var/log/messages
    - /var/log/syslog

  prospector.scanner.exclude_files: ['.gz$']


filebeat.config.modules:

  path: ${path.config}/modules.d/*.yml
  reload.enabled: false



setup.template.settings:
  index.number_of_shards: 1



output.logstash:

  hosts: ["127.0.0.1:5044"]


processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

FILE - FILEBEAT - iptables.yml:

# Module: iptables
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-iptables.html

- module: iptables
  log:
    enabled: true

    # Set which input to use between syslog (default) or file.
    var.input: "file"

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/iptables.log"]

SAMPLE - iptables.log:

Jan 30 19:09:55 systemname kernel: [1915804.955991] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=58.59.5.186 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=28402 DF PROTO=TCP SPT=55075 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:55 systemname kernel: [1915804.997855] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=79.143.32.5 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=3687 DF PROTO=TCP SPT=3546 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:55 systemname kernel: [1915805.113252] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=79.143.32.5 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=3705 DF PROTO=TCP SPT=3550 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:55 systemname kernel: [1915805.168639] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=190.204.147.194 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=26552 DF PROTO=TCP SPT=54558 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:55 systemname kernel: [1915805.426252] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=190.204.147.194 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=26565 DF PROTO=TCP SPT=30005 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:55 systemname kernel: [1915805.524988] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=190.204.147.194 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=26572 DF PROTO=TCP SPT=42305 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:56 systemname kernel: [1915806.383341] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=134.175.154.92 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=25222 DF PROTO=TCP SPT=53020 DPT=12345 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 30 19:09:57 systemname kernel: [1915807.320700] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=102.68.85.153 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=62519 DF PROTO=TCP SPT=33540 DPT=12345 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 30 19:09:57 systemname kernel: [1915807.715054] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=200.90.8.90 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=27140 DF PROTO=TCP SPT=33698 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0 
Jan 30 19:09:58 systemname kernel: [1915808.360297] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=79.143.32.5 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=4052 DF PROTO=TCP SPT=3675 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:58 systemname kernel: [1915808.415577] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=58.59.5.186 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=28555 DF PROTO=TCP SPT=55449 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:59 systemname kernel: [1915808.736124] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=190.204.147.194 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=26872 DF PROTO=TCP SPT=47336 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:59 systemname kernel: [1915808.918336] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=111.93.200.50 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=60228 DF PROTO=TCP SPT=41044 DPT=12345 WINDOW=14600 RES=0x00 SYN URGP=0 
Jan 30 19:09:59 systemname kernel: [1915808.934262] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=58.59.5.186 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=28572 DF PROTO=TCP SPT=55509 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:59 systemname kernel: [1915809.171521] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=58.59.5.186 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=28580 DF PROTO=TCP SPT=55532 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:09:59 systemname kernel: [1915809.527736] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=79.116.12.206 DST=11.22.33.44 LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=64321 PROTO=TCP SPT=52565 DPT=12345 WINDOW=1024 RES=0x00 SYN URGP=0

SAMPLE - WHAT IS IN ELASTIC (not the exact same log lines). message FIELD ONLY:

NOTE: The fields expected when using the iptables filebeat module are not seen ( [https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iptables.html](https://) ):


Jan 30 19:13:47 systemname kernel: [1916036.791924] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=190.104.254.198 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=36937 DF PROTO=TCP SPT=48948 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0 
Jan 30 19:13:48 systemname kernel: [1916037.962265] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=207.244.243.14 DST=11.22.33.44 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=58529 PROTO=TCP SPT=46072 DPT=12345 WINDOW=1024 RES=0x00 SYN URGP=0 
Jan 30 19:13:48 systemname kernel: [1916037.999162] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=103.227.142.226 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=3673 DF PROTO=TCP SPT=52048 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:13:48 systemname kernel: [1916038.407707] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=104.156.155.12 DST=11.22.33.44 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=6885 PROTO=TCP SPT=43088 DPT=12345 WINDOW=1024 RES=0x00 SYN URGP=0 
Jan 30 19:13:48 systemname kernel: [1916038.592461] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=103.227.142.226 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=3768 DF PROTO=TCP SPT=52192 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:13:49 systemname kernel: [1916038.856623] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=103.227.142.226 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=3812 DF PROTO=TCP SPT=52236 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:13:51 systemname kernel: [1916041.240565] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=185.156.73.63 DST=11.22.33.44 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=39868 PROTO=TCP SPT=47676 DPT=12345 WINDOW=1024 RES=0x00 SYN URGP=0 
Jan 30 19:13:52 systemname kernel: [1916042.309497] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=157.245.107.84 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=64945 DF PROTO=TCP SPT=47172 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0 
Jan 30 19:13:52 systemname kernel: [1916042.383657] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=103.227.142.226 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=4371 DF PROTO=TCP SPT=53064 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:13:52 systemname kernel: [1916042.599598] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=111.93.200.50 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=34439 DF PROTO=TCP SPT=38444 DPT=12345 WINDOW=14600 RES=0x00 SYN URGP=0 
Jan 30 19:13:54 systemname kernel: [1916043.866547] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=185.128.41.50 DST=11.22.33.44 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=46057 PROTO=TCP SPT=42514 DPT=12345 WINDOW=1024 RES=0x00 SYN URGP=0 
Jan 30 19:13:54 systemname kernel: [1916043.918476] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=103.227.142.226 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=4613 DF PROTO=TCP SPT=53364 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:13:54 systemname kernel: [1916044.189301] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=103.227.142.226 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=4673 DF PROTO=TCP SPT=53465 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:13:55 systemname kernel: [1916045.055250] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=138.197.195.123 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=18199 DF PROTO=TCP SPT=59402 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0 
Jan 30 19:13:56 systemname kernel: [1916046.293062] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=159.65.103.250 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=16575 DF PROTO=TCP SPT=55166 DPT=12345 WINDOW=29200 RES=0x00 SYN URGP=0 
Jan 30 19:13:58 systemname kernel: [1916047.723129] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=103.227.142.226 DST=11.22.33.44 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=5263 DF PROTO=TCP SPT=54282 DPT=12345 WINDOW=8192 RES=0x00 SYN URGP=0 
Jan 30 19:13:58 systemname kernel: [1916048.078677] IPTABLES: IN=eno1 OUT= MAC=01:02:03:04:05:06:07:08:09:10:11:12:13:14 SRC=200.90.8.90 DST=11.22.33.44 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=34153 DF PROTO=TCP SPT=56744 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0

twilson · February 17, 2022, 9:47pm

I had the same issue and looking at the parser for the ipsentry module, it doesn't appear it handles any sort of logging prefix (--log-prefix for iptables). I ended up just modifying the parsers from /usr/share/filebeat/module/iptables/log/ingest/pipeline.yml and using them in a logstash filter.

maltewhiite · February 28, 2022, 11:49am

I have the same issue.

Problem:

My Filebeat iptables module is enabled, but the logs don't have iptable fields in Kibana.

Details

log.file.path: /var/log/messages
event.dataset: system.syslog
service.type: system
agent.version: 7.16.1
input.type: log
process.name: kernel

I see the logs in Kibana.
They get sent via Logstash

This is the modules.d:

[root@gitlab01.vag:/etc/filebeat]# cat modules.d/iptables.yml 
# Filebeat module iptables - Managed by Puppet
---
- module: iptables
  log:
    enabled: true
    var.paths:
    - "/var/log/messages"

Why are my iptable logs not being parsed into iptable fields?

Update: It is now working fine, after I moved iptables logs to their own /var/log/iptables

New question: are these logs automatically rotated, or do I have to set up a logrotate for it?

system · March 28, 2022, 1:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.