I'm using filebeat/elastic/kibana 7.16.3 all on the same Ubuntu 20.04.3. I am receiving logs from a number of clients using the filebeat nginx and system modules but I'm having trouble with the iptables module. *** I do not see any iptables events in Elasticsearch *** I've done a significant amount of debugging and could really use some suggestions!
In this case I've omitted all modules except iptables.
-
output from
filebeat -e -d "*" >/tmp/fb.out 2>&1
(1147 lines) 2022-01-30T13:14:35.187-0800 INFO instance/beat.go:686 Home path: [/usr/share/filebeat]... - def82432 -
/etc/filebeat/modules.d/iptables.yml:
- module: iptables
log:
enabled: true
var.paths: ["/var/log/iptables.log"]
var.input: "file"
- iptables.log:
Jan 30 21:09:59 ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC=00:00:ff:00:gg:ii:00 SRC=123.123.165.248 DST=123.1.1.123 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=56014 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 30 21:10:08 ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC= SRC=123.1.1.123 DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=23424 DF PROTO=UDP SPT=49368 DPT=10001 LEN=12
Jan 30 21:10:08 ubnt kernel: [VLAN_20_LOCAL-default-D]IN=switch0.20 OUT= MAC= SRC=192.168.20.1 DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=11736 DF PROTO=UDP SPT=58513 DPT=10001 LEN=12
Jan 30 21:10:08 ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC=00:00:ff:00:gg:ii:00 SRC=123.123.73.122 DST=123.1.1.123 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=52587 PROTO=TCP SPT=40827 DPT=8035 WINDOW=1024 RES=0x00 SYN URGP=0
I believe this should work because:
- the iptables module ships with filebeat
- This person appears to be reporting an issue (and getting resolution) with iptables module
[filebeat iptables] Ubiquiti Firewall field [raw_date] not present as part of path [iptables.raw_date] · Issue #24878 · elastic/beats · GitHub
In fact, the logs posted in that issue are the exact same format as mine shown above. - I have not done anything to modify the defaults with either filebeat, elastic, kibana