Incoming logs from Cisco switches don't appear in filebeat-* indexes

Dear all,

I have ELK 7.8.0 and I've configured cisco asa module from Filebeat 7.8.0 in order to receive incoming logs from Cisco switches. Here it is the /etc/filebeat/modules.d/cisco.yml below module.cisco line:

ios:
enabled: true
var.input: syslog
var.syslog_host: 10.1.1.1
var.syslog_port: 514

After restart filebeat, I run "tcpdump -i eth0 port 514" and I can see incoming logs in the eth0 interface:

10:04:53.496880 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.notice, length: 119
10:04:58.645727 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.error, length: 101
10:06:00.641406 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.notice, length: 119
10:06:02.950845 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.error, length: 101
10:10:08.349291 IP 172.16.1.15.61032 > 10.1.1.1.syslog: SYSLOG local7.notice, length: 103

But after that, when I go to Discover and I choose Filebeat-*, I search into these indexes for Cisco switches syslog events, but I can't see anything.....no syslogs at all.

What can be the problem? Because I see syslogs in the physical interface but I don't see them in filebeat-* .

Thanks in advance !!!

Can you execute with full logging output enabled and paste the results in a proper Markdown format, please? metricbeat -e -d "*"

Dear Mario, I've implemented a new ELK server and now the Cisco logs are coming OK.

Thanks for your help!!!

Cheers

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.