Filebeat with syslog - error index

Paulogbr · September 21, 2020, 8:17pm

Hello Team,

I was using Logstash in my lab to input data from syslog UDP 5140.

Now I tried Filebeat, but the data don't index.

I follow this example:

My filebeat.yml :

filebeat.inputs:

type: syslog
enabled: true
max_message_size: 100KiB
keep_null: true
timeout: 10
protocol.udp:
host: "localhost:5140"

filebeat.config.modules:
#Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml

#Set to true to enable config reloading
reload.enabled: false

#Period on which files under path should be checked for changes
#reload.period: 10s

setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

setup.kibana:
host: "192.168.0.1:5601"

output.elasticsearch:
#Array of hosts to connect to.
hosts: ["192.168.0.1:9200"]

I activated the suricata module.
filebeat setup
enable the service.

The port UDP start:
[root@lab.lab.com joao.paulo]# netstat -a | grep -i 5140
udp 0 0 localhost:5140 0.0.0.0:*

But in the Index Management don't apper the logs just

Please can you help me ?

kvch · September 22, 2020, 11:51am

Could you please format your configuration using </>? Also, please share the debug logs of Filebeat.

Paulogbr · September 22, 2020, 3:22pm

Hello,

Ok,

I tried use logstash to received (SYSLOG) ,after my output save /var/log.
Now I used filebeat to read the file and output to elastic...works.

But the module suricata don't work.

FILE: /etc/filebeat/modules.d/suricata.yml

    - module: suricata
      eve:
        enabled: true

Filbebeat.yml

filebeat.inputs:
- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
  - /var/log/suricata/suricata.json
  json.keys_under_root: true
  json.overwrite_keys: true
  fields:
    application: suricata

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


setup.kibana:
  host: "192.168.0.1:5601"

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

This is the log i received in my ELK, FORMAT JSON, but the dashbord kibana [filebeat] suricata don't work. Show me the message ( No result Found )

```
{
  "_index": "filebeat-7.9.1-2020.09.21-000001",
  "_type": "_doc",
  "_id": "-",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2020-09-22T15:15:15.698Z",
    "src_ip": "192.168.10.5",
    "ecs": {
      "version": "1.5.0"
    },
    "log": {
      "offset": -
      "file": {
        "path": "/var/log/suricata/suricata.json"
      }
    },
    "dest_ip": "192.168.10.6",
    "flow_id": 20000000000,
    "in_iface": "ix1",
    "alert": {
      "category": "Attempted User Privilege Gain",
      "severity": 1,
      "metadata": {
        "updated_at": [
          "2013_01_04"
        ],
        "created_at": [
          "2013_01_04"
        ]
      },
      "action": "allowed",
      "gid": 1,
      "signature_id": 2016150,
      "rev": 2,
      "signature": "ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"
    },
    "event_type": "alert",
    "input": {
      "type": "log"
    },
    "fields": {
      "application": "suricata"
    },
    "src_port": 3478,
    "flow": {
      "bytes_toserver": 12785,
      "bytes_toclient": 0,
      "start": "2020-09-22T12:09:38.250541-0300",
      "pkts_toserver": 91,
      "pkts_toclient": 0
    },
    "timestamp": "2020-09-22T12:14:39.520925-0300",
    "host": {
      "name": "192.168.0.1"
    },
    "agent": {
      "version": "7.9.1",
      "hostname": "192.168.0.1",
      "ephemeral_id": "-",
      "id": "-",
      "name": "192.168.0.1",
      "type": "filebeat"
    },
    "proto": "UDP",
    "app_proto": "failed",
    "dest_port": 50020
  },
  "fields": {
    "@timestamp": [
      "2020-09-22T15:15:15.698Z"
    ],
    "suricata.eve.timestamp": [
      "2020-09-22T15:15:15.698Z"
    ]
  },
  "sort": [
    1400556600000
  ]
}
```

kvch · September 25, 2020, 3:26pm

Have you loaded the pipline of the suricata module?
What do you mean by the event not getting indexed? I cannot see any errors in your logs. Can you see the event on the discover page of Kibana?

system · October 23, 2020, 5:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.