Hi, I am new to Elastic and need some help as i could not find an answer even after extensive googling.
I have installed Elasticsearch 7.5, kibana 7.5, Filebeat and Logstash.
All of these things works fine when i forward linux system logs using filebeat system modules and i can see linux logs in elasticsearch.
Now i need to send firewall logs to elasticsearch but it doesn't work. I have removed logstash from filebeat output and left elasticsearch only but it still doesn't work. I need to forward all the logs from ASA firewalls to elasticsearch.
I did tcpdump to see if packets are coming to machine and i can see firewall is sending bunch of data to systemon port 9000
Here are few of the outputs..
[root@elk-ap01.dev modules.d] 0 # filebeat modules list
Enabled:
cisco
system
Disabled:
apache
[root@elk-ap01.dev modules.d] 2 # cat ../filebeat.yml | grep -v "#"
filebeat.inputs:
-
type: log
enabled: true
paths:- /var/log/*.log
-
type: syslog
enabled: true
protocol.udp:
host: "0.0.0.0:9000"
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "elkdev.domain.com:5601"
output.elasticsearch:
hosts: ["elkdev.domain.com:9200"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
[root@elk-ap01.dev modules.d] 0 #
What am i missing and how can i see firewall logs in kibana ?