Hi everyone.
Last week i set up a filebeat (7.8.1) to ingest syslog from an Cisco ASA.
Everything works fine and the data is visible in kibana. Now when i go to the SIEM page and try to setup SIEM with the Cisco module there is a button that says "Check Data" when i click it i get the message, "No data has been received from this module yet".
Is have tried different filebeat versions but i get the same message.
Here is my filebeat.yml:
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
reload.period: 10s
# Configuratie van de output
output.elasticsearch:
username: xxx
password: xxx
protocol: https
hosts: ["xxx:9200", "xxx:9200", "xxx:9200"]
loadbalance: true
bulk_max_size: 256
worker: 3
index: "asa-vpn-anyconnect"
Here is my cisco.yml (filebeat module in etc/filebeat/modules.d/)
- module: cisco
asa:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 1.1.1.1
# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 9001
# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
#var.log_level: 7
Could it be an issue that i use different index names instead of the default filebeat-*?