Unable to load software.log into elasticsearch

Chandrapaul · June 3, 2022, 9:25am

I'm trying to load software logs from zeek into Elasticsearch.

But if I run filebeat after adding software log path to zeek.yml in filebeat then I'm getting error :

"Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: fileset zeek/software is configured but doesn't exist".

How can this be resolved ?

stephenb · June 3, 2022, 2:03pm

Can you please share your zeek.yml

Did you enable the module?

filebeat modules enable zeek

legoguy1000 · June 4, 2022, 12:35am

There isn't a module for the zeek software log.

stephenb · June 4, 2022, 12:38am

hyperion:filebeat-8.2.0-darwin-x86_64 sbrown$ ls modules.d/ze*
modules.d/zeek.yml.disabled

@legoguy1000 Am I missing somegthing? You definitely made me flinch

legoguy1000 · June 4, 2022, 12:49am

Yes but it doesn't include every zeek log file. There is no fileset for the software.log.

stephenb · June 4, 2022, 12:52am

@Chandrapaul Please share your zeek.yml then perhaps we can help you / understand what you are trying to accomplish.

Chandrapaul · June 6, 2022, 7:45am

- module: zeek
  capture_loss:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/capture_loss.log"]
  connection:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/conn.log"]
  dce_rpc:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/dce_rpc.log"]
  dhcp:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/dhcp.log"]
  dnp3:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/dnp3.log"]
  dns:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/dns.log"]
  dpd:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/dpd.log"]
  files:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/files.log"]
  ftp:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/ftp.log"]
  http:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/http.log"]
  intel:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/intel.log"]
  irc:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/irc.log"]
  kerberos:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/kerberos.log"]
  modbus:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/modbus.log"]
  mysql:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/mysql.log"]
  notice:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/notice.log"]
  ntlm:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/ntlm.log"]
  #ntls:
          #enabled: true
          #var.paths: ["/opt/zeek/logs/current/ntls.log"]
  ntp:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/ntp.log"]
  ocsp:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/ocsp.log"]
  pe:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/pe.log"]
  radius:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/radius.log"]
  rdp:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/rdp.log"]
  rfb:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/rfb.log"]
  signature:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/signature.log"]
  sip:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/sip.log"]
  smb_cmd:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/smb_cmd.log"]
  smb_files:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/smb_files.log"]
  smb_mapping:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/smb_mapping.log"]
  smtp:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/smtp.log"]
  snmp:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/snmp.log"]
  socks:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/socks.log"]
  software:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/software.log"]
  ssh:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/ssh.log"]
  ssl:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/ssl.log"]
  stats:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/stats.log"]
  syslog:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/syslog.log"]
  traceroute:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/traceroute.log"]
  tunnel:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/tunnel.log"]
  weird:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/weird.log"]
  x509:
          enabled: true
          var.paths: ["/opt/zeek/logs/current/x509.log"]

stephenb · June 6, 2022, 3:18pm

as @legoguy1000 that is not a valid fileset you need to remove that.

If you want to collect those logs you will need to set up a regular filestream input.

system · July 4, 2022, 5:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.