Send syslog to Filebeat server

msylvestre · September 27, 2023, 12:57pm

Greetings,

I'm trying to send my Cisco Switches logs to my Filebeat server but for some reason it's not working. I can see that the Filebeat receives the logs, but it doesn't ship them to elastic afterwards. I tried using Logstash as well but it would ship either.

Any idea on how I can achieve that?

Here is my config:

############################# Filebeat #####################################

filebeat.inputs:

- type: udp
  paths:
    - /var/log/*/*.log
  fields:
    type: switch

  fields_under_root: true
  encoding: utf-8
  ignore_older: 720h
  exclude_files: [/var/audit/*]

filebeat.registry.path: /var/lib/filebeat

############################# Output ##########################################

output:
  logstash:
    hosts: ["###########:5015"]
    ssl:
      certificate_authorities: ['/etc/filebeat/certificate.crt']

coezdemir · September 27, 2023, 1:01pm

Hello Welcome,

The logs you are trying to import are not coming from a udp port, they seems to be on a log file.
For this please use the filestream input instead of UDP;

But as you might need them on another time, the UDP input is for something like a loadbalancer service who can send logs to a port which is open for receiving them with filebeat service. You can find the details on how to use it on above link.

Regards.

msylvestre · September 27, 2023, 1:05pm

Hi, thanks for your quick reply. Someone told me I needed a path. However, my input is indeed UDP 5515 from the Switches. Do I need to use this instead?

filebeat.inputs:

type: syslog
format: rfc3164
protocol.udp:
host: "localhost:5515"

coezdemir · September 27, 2023, 1:10pm

Hello again,
I am not the expert on filebeat unfortunately, but I think it depends on how the switches configured to send the info. Right now I assume its creating log files instead of sending them out through a port (?) Could you please give it a try with both syslog and udp input plugins.

NOTE: the host: variable needs an indent.

leandrojmp · September 27, 2023, 1:23pm

What is the input you are using?

The input you shared in your first post is confusing, because it is an udp input, but you didn't specify any port and it has configurations for a filestream input.

Your udp input needs to be configured according to the documentation for the udp or for the documentation for the syslog.

msylvestre · September 27, 2023, 1:28pm

Hello,

Here is my current config: I'm just not sure if my input should be syslog UDP or just UDP..

Also as you can see, my filebeat server is receiving logs from my switch:

############################# Filebeat #####################################

filebeat.inputs:
- type: syslog
  format: rfc3164
  protocol.udp:
    host: "0.0.0.0:5515"

  fields:
    logzio_codec: json
    token: ####
    type: switch
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h

output.logstash:
  hosts: ["listener-ca.logz.io:5015"]
  ssl:
    certificate_authorities: ['/etc/filebeat/AAACertificateServices.crt']

leandrojmp · September 27, 2023, 1:42pm

What do you have in filebeat logs?

Also, encoding and ignore_older are not valid options for the the syslog input, but I don't think this is the issue.

msylvestre · September 27, 2023, 1:57pm

That's another thing.. I've been troubleshooting blindy because I do not have filebeat logs. Default path is /var/log/filebeat, but it's not working? Am I missing something.

Note: I tried without the enconding/ignore_older, but same result.

coezdemir · September 27, 2023, 2:08pm

There is a specific filebeat config part for logging, without it filebeat service runs silent;

msylvestre · September 27, 2023, 2:16pm

Thanks! Good to know. Here is what I have:

[root@c03-logz002-01 filebeat]# tail -f /var/log/filebeat/filebeat-20230927.ndjson
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-27T10:12:19.419-0400","log.origin":{"file.name":"beater/filebeat.go","file.line":331},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":107},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.fields.logzio_codec filebeat.inputs.0.fields.token filebeat.inputs.0.fields.type filebeat.inputs.0.fields_under_root filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 703344124785324289)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":147},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:19.419-0400","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-27T10:12:49.422-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"filebeat.service"},"memory":{"id":"filebeat.service","mem":{"usage":{"bytes":21446656}}}},"cpu":{"system":{"ticks":30,"time":{"ms":30}},"total":{"ticks":70,"time":{"ms":70},"value":70},"user":{"ticks":40,"time":{"ms":40}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":11},"info":{"ephemeral_id":"2c91e2a6-612a-4e96-b74a-eff285b4d6db","name":"filebeat","uptime":{"ms":30290},"version":"8.10.2"},"memstats":{"gc_next":7808280,"memory_alloc":6474872,"memory_sys":23196936,"memory_total":13476200,"rss":65339392},"runtime":{"goroutines":20}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"logstash"},"pipeline":{"clients":1,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-27T10:13:19.422-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":21663744}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":80,"time":{"ms":10},"value":80},"user":{"ticks":50,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":11},"info":{"ephemeral_id":"2c91e2a6-612a-4e96-b74a-eff285b4d6db","uptime":{"ms":60291},"version":"8.10.2"},"memstats":{"gc_next":7808280,"memory_alloc":6766536,"memory_total":13767864,"rss":65462272},"runtime":{"goroutines":20}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-27T10:13:49.421-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":27717632}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":80,"value":80},"user":{"ticks":50}},"handles":{"limit":{"hard":524288,"soft":524288},"open":11},"info":{"ephemeral_id":"2c91e2a6-612a-4e96-b74a-eff285b4d6db","uptime":{"ms":90291},"version":"8.10.2"},"memstats":{"gc_next":8632240,"memory_alloc":4194384,"memory_total":14099112,"rss":71372800},"runtime":{"goroutines":20}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-27T10:14:19.422-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":29786112}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":80,"value":80},"user":{"ticks":50}},"handles":{"limit":{"hard":524288,"soft":524288},"open":11},"info":{"ephemeral_id":"2c91e2a6-612a-4e96-b74a-eff285b4d6db","uptime":{"ms":120290},"version":"8.10.2"},"memstats":{"gc_next":8632240,"memory_alloc":4298000,"memory_total":14202728,"rss":73465856},"runtime":{"goroutines":20}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-27T10:14:49.421-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":29827072}}}},"cpu":{"system":{"ticks":40,"time":{"ms":10}},"total":{"ticks":100,"time":{"ms":20},"value":100},"user":{"ticks":60,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":11},"info":{"ephemeral_id":"2c91e2a6-612a-4e96-b74a-eff285b4d6db","uptime":{"ms":150290},"version":"8.10.2"},"memstats":{"gc_next":8632240,"memory_alloc":4542792,"memory_total":14447520,"rss":73465856},"runtime":{"goroutines":20}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-27T10:15:19.423-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":29843456}}}},"cpu":{"system":{"ticks":40},"total":{"ticks":100,"value":100},"user":{"ticks":60}},"handles":{"limit":{"hard":524288,"soft":524288},"open":11},"info":{"ephemeral_id":"2c91e2a6-612a-4e96-b74a-eff285b4d6db","uptime":{"ms":180291},"version":"8.10.2"},"memstats":{"gc_next":8632240,"memory_alloc":4782304,"memory_total":14687032,"rss":73465856},"runtime":{"goroutines":20}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.05,"15":0,"5":0.01,"norm":{"1":0.025,"15":0,"5":0.005}}}},"ecs.version":"1.6.0"}}

coezdemir · September 27, 2023, 2:21pm

It doesn't show any errors, so your logstash should get the logs. What is your logstash configuration to send data to elasticsearch?

FYI: you can directly send data to elasticsearch with the output plugin;

msylvestre · September 27, 2023, 2:31pm

I understand, but when I run a tcpdump on my outbound port 5015, I see nothing going out. No outbound traffic through the firewall either.

Unfortunately, I cannot send to Elastic directly since we're shipping to a third party. It goes to their logstash based on the listener and then on their end it's sent to their stack.

It's blocked from within my filebeat that's for sure.

coezdemir · September 27, 2023, 2:43pm

I think we can debug this with using console output for filebeat to see if its actually output anything on stdout?

Again sorry, I am not super useful here just trying to help

msylvestre · September 27, 2023, 2:46pm

No need to be sorry, you are more than helpful! I will take a look. Thanks!

msylvestre · September 28, 2023, 3:21pm

Hi,

Sorry for the delay. Here is my result using the console output. I feel like Filebeat is not listening on port 5515. Is my input configuration ok?

filebeat.inputs:
- type: syslog
  format: auto
  protocol.udp:
    host: "localhost:5515"

{"log.level":"info","@timestamp":"2023-09-28T11:12:12.604-0400","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:12:42.604-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"session-1.scope"},"memory":{"id":"session-1.scope","mem":{"usage":{"bytes":31264768}}}},"cpu":{"system":{"ticks":30,"time":{"ms":30}},"total":{"ticks":70,"time":{"ms":70},"value":70},"user":{"ticks":40,"time":{"ms":40}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":10},"info":{"ephemeral_id":"a0a788d9-74e0-462d-8bd8-72ee6eba2ae7","name":"filebeat","uptime":{"ms":30089},"version":"8.10.2"},"memstats":{"gc_next":11911280,"memory_alloc":5926088,"memory_sys":23196936,"memory_total":13424648,"rss":65638400},"runtime":{"goroutines":19}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"console"},"pipeline":{"clients":1,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0,"5":0.01,"norm":{"1":0,"15":0,"5":0.005}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-28T11:13:12.604-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":37363712}}}},"cpu":{"system":{"ticks":30},"total":{"ticks":70,"value":70},"user":{"ticks":40}},"handles":{"limit":{"hard":524288,"soft":524288},"open":10},"info":{"ephemeral_id":"a0a788d9-74e0-462d-8bd8-72ee6eba2ae7","uptime":{"ms":60091},"version":"8.10.2"},"memstats":{"gc_next":11911280,"memory_alloc":6314992,"memory_total":13813552,"rss":72052736},"runtime":{"goroutines":19}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}

Thanks,

leandrojmp · September 28, 2023, 3:48pm

This needs to be 0.0.0.0 or the private IP of the server where filebeat is running, using localhost will make filebeat only accept requests from the local server, not from other servers.

msylvestre · September 28, 2023, 4:03pm

Good points, that's what I previously had. I just changed it and I get the same result unfortunately. It says it's listening on UDP, but doesnt specify the port. Is that normal?

{"log.level":"info","@timestamp":"2023-09-28T11:55:38.022-0400","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-28T11:55:38.022-0400","log.origin":{"file.name":"beater/filebeat.go","file.line":193},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.022-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.023-0400","log.origin":{"file.name":"instance/beat.go","file.line":515},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.023-0400","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.024-0400","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-28T11:55:38.024-0400","log.origin":{"file.name":"beater/filebeat.go","file.line":331},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.024-0400","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":107},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.024-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.025-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.fields.logzio_codec filebeat.inputs.0.fields.token filebeat.inputs.0.fields.type filebeat.inputs.0.fields_under_root filebeat.inputs.0.format filebeat.inputs.0.protocol.udp.host filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.025-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 14013981240996411673)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.025-0400","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.025-0400","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":147},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:55:38.025-0400","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-28T11:56:08.027-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"id":"session-1.scope"},"memory":{"id":"session-1.scope","mem":{"usage":{"bytes":34406400}}}},"cpu":{"system":{"ticks":10,"time":{"ms":10}},"total":{"ticks":50,"time":{"ms":50},"value":50},"user":{"ticks":40,"time":{"ms":40}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":10},"info":{"ephemeral_id":"926877f0-bc61-46b6-8076-cc464a70f149","name":"filebeat","uptime":{"ms":30076},"version":"8.10.2"},"memstats":{"gc_next":8400840,"memory_alloc":3980456,"memory_sys":23196936,"memory_total":13441184,"rss":63987712},"runtime":{"goroutines":19}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"console"},"pipeline":{"clients":1,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}

Matt_Clairmont · September 28, 2023, 11:29pm

Ok, I'm new to the ELK stack too, so call me crazy if I'm incorrect, but don't you need to have the input enabled? Based on your posted configs so far, it's not explicitly enabled.

leandrojmp · September 28, 2023, 11:33pm

I think so, if you specify as 0.0.0.0:5515 then it should open the port 5515, you can validate it using netstat.

If your filebeat is listening on this port, and you still do not receive anything, then you need to check all the network communication.

First if your syslog can reach the filebeat server, then if your filebeat server can reach your logstash server.

leandrojmp · September 28, 2023, 11:34pm

There is no need, if the enabled option is not present in the configuration, than per default it is enabled, you just need to explicitly add it if you want to disable it, the default value is true.