Struggling with sonicwall module

Philip_Thomson1 · September 30, 2022, 4:10pm

I am sure this is something silly, but I have been banging my head on this, I am trying to use the sonicwall module on filebeat 8.4

This is the sonicwall.yml:

# Module: sonicwall
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-sonicwall.html

- module: sonicwall
  firewall:
    enabled: true

    # Set which input to use between udp (default), tcp or file.
    var.input:
     var.syslog_host: 
     - 10.100.100.121
     var.syslog_port: 
     - 25514

    # Set paths for the log files when file input is used.
    # var.paths:

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
      #var.tz_offset: local

and this is the error I get:

Sep 30 12:02:59 TS-ELK01 filebeat[316482]: {"log.level":"error","@timestamp":"2022-09-30T12:02:59.882-0400","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: could not create module registry for filesets: error getting config for fileset sonicwall/firewall: Error interpreting the template of the input: template: text:1:6: executing \"text\" at <eq .input \"file\">: error calling eq: uncomparable type map[string]interface {}: map[var:map[syslog_host:[10.100.100.121] syslog_port:[25514]]]","service.name":"filebeat","ecs.version":"1.6.0"}

I have checked the yaml with yaml lint and it says it is valid, but I must be missing something here.

Does anyone else have any input to help me resolve this?

stephenb · September 30, 2022, 9:23pm

Looks weird... pretty sure host and port are not arrays / lists see here

    var.input:
    var.syslog_host: 10.100.100.121
    var.syslog_port: 25514

or

    var.input:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 25514

leandrojmp · October 1, 2022, 12:51am

I think that the issue is that the yml does not look right, as @stephenb mentioned, if you use in this format you are telling the config parser that the var.syslog_port and var.syslog_host are arrays, and the parser probably is waiting just a string.

If you look in the config file in the github repository, it is different.

Philip_Thomson1 · October 3, 2022, 11:32am

Thanks everyone, I was going crosseyed it had been a long day, I switched it to an array as I was getting that error, however, I suspect I had a problem in my yaml before that, and then I started chasing the wrong squirrel up the wrong tree.

Thanks to you guys I have reset and got it working, sometimes it just takes that 2nd set of eyes

system · October 31, 2022, 1:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.