Please advise
Hi @mandude77 Welcome to the community.
First please do not post screenshots of text, they are very hard to read, can not be seen by some users and can not be searched / debugged.
Ok that said
You will need to provide more.
-
Please post your filebeat.yml
-
Please look at the filebeat logs and look for errors, as the docs state you should be able to use
journalctl -u filebeat.service
so our setup is pfsense snort/suricata + ubuntu nginx webserver with elastic stack
i used these guides to help me set up elastic stack on ubuntu and enabling remote logging on pfsense
https://github.com/pfelk/pfelk/blob/main/install/ubuntu.md
https://github.com/pfelk/pfelk/blob/main/install/configuration.md
https://www.fosstechnix.com/install-elastic-stack-on-ubuntu-20-04-lts/
problem im having now is trying to send remote logs from pfsense to elastic stack. I was able to get filebeat working and show syslogs in elastic stack but I cant get the filebeat to work with logstash
i dont know how to go about setting up logstash and receive logs from pfsense
in this guide
https://github.com/pfelk/pfelk/blob/main/install/configuration.md
it says to add the ip address of the ELK followed by port 5140 for remote system logs on pfsense, but i dont know what port 5140 is for and i think thats where the problem is
So a couple things...
If you are having troiuble with PFSense.. you should put that in the title, there are folks that have security expertise ... your title is just way generic...
I can't really help you with PFSenser but others may.
Beats->Logstash->Elasticsearch I can 
It talks about the archticture and provides a sample logstash.conf that acts as a pass through and you can work from there.
And of course if you want help... posting your configs (filebeat, logsash etc) will help otherwise we are just guessing the more you give us, good titles, sample configs etc. the more we can help.
I will say when you use giudes from other sources.. it is harder... we help with the Elastic Stack perhaps you could also get specific help on that integration from that community
Please advise
Unclear what that means.
- I advised you to Edit / Update your Thread Title to Something Like
"Having Trouble Ingesting PFSense Logs with PFElk"
-
I pointed you to a thread that gives a concrete example on how to ship logs from Filebeat through Logstash to Elasticsearch
-
With respect to the entire pfsense snort/suricata integration I am not an expert, we do have other folks that are much more educated on that than I .. thus back to a better thread Title may help draw the correct people.
BTW the 5140 port is the port logstash is listening on per the PFElk code It's the port you will direct the sources to so logstash can listen to them is what it appears to me.
This is a logstash conf files ... One of many...
Also it does not appear that that package uses filebeat at all Just logstash, Elasticsearch and Kibana.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.