Incoming logs from Cisco switches don't appear in filebeat-* indexes

robertitox · July 17, 2020, 2:54pm

Dear all,

I have ELK 7.8.0 and I've configured cisco asa module from Filebeat 7.8.0 in order to receive incoming logs from Cisco switches. Here it is the /etc/filebeat/modules.d/cisco.yml below module.cisco line:

ios:
enabled: true
var.input: syslog
var.syslog_host: 10.1.1.1
var.syslog_port: 514

After restart filebeat, I run "tcpdump -i eth0 port 514" and I can see incoming logs in the eth0 interface:

10:04:53.496880 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.notice, length: 119
10:04:58.645727 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.error, length: 101
10:06:00.641406 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.notice, length: 119
10:06:02.950845 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.error, length: 101
10:10:08.349291 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.notice, length: 103

But after that, when I go to Discover and I choose Filebeat-*, I search into these indexes for Cisco switches syslog events, but I can't see anything.....no syslogs at all.

What can be the problem? Because I see syslogs in the physical interface but I don't see them in filebeat-* .

Thanks in advance !!!

Mario_Castro · July 21, 2020, 10:59am

Can you execute with full logging output enabled and paste the results in a proper Markdown format, please? metricbeat -e -d "*"

robertitox · July 21, 2020, 12:43pm

Dear Mario, I've implemented a new ELK server and now the Cisco logs are coming OK.

Thanks for your help!!!

Cheers

system · August 18, 2020, 2:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.