Hi, I hope someone can point me in a direction, I have been slogging away for weeks now, trying every tutorial I can find..
I want to get syslog messages from my ASA firewalls into Elastic. I have redone the setup using various posts but nothing works, my "ELK Stack" works and I can see system messages but nothing from the ASA.
Thinking its a problem with the ASA sending I abandoned the attempt, wiped the install and started again, this time trying to get syslog from PFSense.
Nothing... its mega frustrating, does not help that each tutorial seems to have different files and folders so you never really know which is actually correct.
What I have now tried is to telnet from the Ubuntu elk machine to the syslog receiver port so telnet localhost 5140 and I get this..
admin_it@elk-local:/etc/logstash/conf.d$ telnet localhost 5140
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
The firewall is off
admin_it@elk-local:/etc/logstash/conf.d$ sudo ufw status
Status: inactive
Logic tells me this is where I need to start looking but I don't know what else to check..
Another day or doing fruitless re-installs using whatever posts I can find, I have to say there are so many posts with how to but they differ is so many ways, sadly none work off the bat. No matter what I try though I just cannot get my ELK installation to see the syslogs being sent on UDP port 5140. Netstat says the ports are not listening but other than no firewall running and the input specified in the logstash input file I am at a loss.. for all the time this has cost me following the various experts out there I could have bought a license for Windows server and something like Manageengine but that would be admitting defeat...
For anyone else battling with something like this, Logstash starts but shuts because of a config error. Somewhere in one of the pipelines there is a missing character.
The problem with all this config is that there are multiple people posting How-To's and all seem to be copying the config with the errors, you need to keep looking at the logstash logfile and fix one thing at time, its painstaking ... once the error log is clear Logstash will start and the listening port will be opened...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.