Hopefully the group can help me out here... I've got my network infrastructure (coming out of a unifi controller) sending syslog to a filebeat over UDP/514. The messages are iptables logs. I'm not seeing any of the messages get processed into elasticsearch. I DID confirm that messages are coming into the filebeat host on 514 with a tcpdump. I also set up syslog-ng and created a test file for filebeat and tried to process it using "read from file" instead of "read from syslog". And even that fails...
Here's what my filebeat.yml looks like:
filebeat.config:
logging.to_files: false
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
logging.level: debug
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS}'
username: '${ELASTICSEARCH_USERNAME}'
password: '${ELASTICSEARCH_PASSWORD}'
setup.kibana:
host: "kib01:5601"
And here's my iptables.yml
# Module: iptables
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-iptables.html
- module: iptables
log:
enabled: true
var.convert_timezone: true
var.syslog_host: localhost
var.syslog_port: 514
# Set which input to use between syslog (default) or file.
var.input: "syslog"
And here's a sample of the log data that is being sent:
Jan 26 09:18:47 30c04bee8c30,udm-1.8.5.2964 kernel: [322287.006104] IN=br30 OUT=eth4 MAC=f6:92:bf:7f:a0:e8:40:b4:cd:28:95:40:08:00 SRC=1.2.3.4 DST=4.3.2.1 LEN=136 TOS=0x00 PREC=0x00 TTL=63 ID=39401 DF PROTO=TCP SPT=37398 DPT=80 WINDOW=274 RES=0x00 ACK PSH URGP=0
Jan 26 09:18:47 30c04bee8c30,udm-1.8.5.2964 kernel: [322287.020222] IN=br10 OUT=eth4 MAC=f6:92:bf:7f:a0:e8:5c:3a:45:9a:c1:8d:08:00 SRC=1.2.3.4 DST=4.3.2.1 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=38007 DF PROTO=UDP SPT=51931 DPT=443 LEN=42
Any help appreciated!