Hi,
I'm using filebeats to monitor or try to monitor zeek.
But I can't see any of the zeek files content in elastic, I've also enabled the system module and that burst straight into life.
So I know the module config is good.
Any suggestions on how I fault find this?
I can't find any logs directing me to where the issue may be.
Thanks all.
warkolm
(Mark Walkom)
November 13, 2022, 11:42pm
2
Are you using the module?
What do the Filebeat logs show?
Hi,
Yes i'm using the zeek module.
The files looks like this
# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-zeek.html
- module: zeek
capture_loss:
enabled: true
var.path: ["/opt/zeek/logs/current/capture_loss.log"]
connection:
enabled: true
var.path: ["/opt/zeek/logs/current/conn.log"]
dce_rpc:
enabled: false
dhcp:
enabled: false
dnp3:
enabled: false
dns:
enabled: true
var.path: ["/opt/zeek/logs/current/dns.log"]
dpd:
enabled: false
files:
enabled: true
var.path: ["/opt/zeek/logs/current/files.log"]
ftp:
enabled: false
http:
enabled: true
var.path: ["/opt/zeek/logs/current/http.log"]
intel:
enabled: false
irc:
enabled: false
kerberos:
enabled: false
modbus:
enabled: false
mysql:
enabled: false
notice:
enabled: true
var.path: ["/opt/zeek/logs/current/notice.log"]
ntp:
enabled: true
var.path: ["/opt/zeek/logs/current/ntp.log"]
ntlm:
enabled: false
ocsp:
enabled: false
pe:
enabled: false
radius:
enabled: false
rdp:
enabled: false
rfb:
enabled: false
signature:
enabled: false
sip:
enabled: false
smb_cmd:
enabled: false
smb_files:
enabled: false
smb_mapping:
enabled: false
smtp:
enabled: false
snmp:
enabled: false
socks:
enabled: false
ssh:
enabled: false
ssl:
enabled: true
var.path: ["/opt/zeek/logs/current/ssl.log"]
stats:
enabled: true
var.path: ["/opt/zeek/logs/current/stats.log"]
syslog:
enabled: false
traceroute:
enabled: false
tunnel:
enabled: false
weird:
enabled: true
var.path: ["/opt/zeek/logs/current/weird.log"]
x509:
enabled: false
and the files are here and being updated
root@server-hapx-01:/opt/zeek/logs/current# ls -l
total 216
-rw-r--r-- 1 root zeek 420 Nov 14 08:58 capture_loss.log
-rw-r--r-- 1 root zeek 64529 Nov 14 08:58 conn.log
-rw-r--r-- 1 root zeek 175 Nov 14 08:31 dhcp.log
-rw-r--r-- 1 root zeek 800 Nov 14 08:58 notice.log
-rw-r--r-- 1 root zeek 270 Nov 14 08:34 ssl.log
-rw-r--r-- 1 root zeek 5828 Nov 14 08:57 stats.log
-rw-r--r-- 1 root zeek 21 Nov 11 19:27 stderr.log
-rw-r--r-- 1 root zeek 204 Nov 11 19:27 stdout.log
-rw-r--r-- 1 root zeek 109132 Nov 14 08:58 telemetry.log
-rw-r--r-- 1 root zeek 653 Nov 14 08:34 weird.log
I've looked in /var/log/syslog and the /var/log/filebeat/filebear-.ndjson log
And i can't see anything screaming at me, any suggestions on what i need to look for?
warkolm
(Mark Walkom)
November 14, 2022, 9:02am
4
Please format your code/logs/config using the </>
button, or markdown style back ticks. It helps to make things easy to read which helps us help you
I mean the ones Filebeat creates, not reads. Usually /var/log/filebeat/filebeatlog
.
Hi,
Here is the context of three of the files in that folder
root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-7.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:57:45.710Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:57:45.711Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}
root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-8.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:58:24.853Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:58:24.853Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}
root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-9.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:58:31.250Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:58:31.250Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}
Nothing is screaming at me to where the issue is, any suggestions please?
Is there a way to confirm the module is enabled, it might be in module.d but is there a way to confirm that in filebeat? (Just a thought)
system
(system)
Closed
December 13, 2022, 12:17am
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.