Zeek monitoring using filebeats

Hi,
I'm using filebeats to monitor or try to monitor zeek.
But I can't see any of the zeek files content in elastic, I've also enabled the system module and that burst straight into life.
So I know the module config is good.

Any suggestions on how I fault find this?
I can't find any logs directing me to where the issue may be.
Thanks all.

Are you using the module?
What do the Filebeat logs show?

Hi,
Yes i'm using the zeek module.
The files looks like this

# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-zeek.html

- module: zeek
  capture_loss:
    enabled: true
    var.path: ["/opt/zeek/logs/current/capture_loss.log"]
  connection:
    enabled: true
    var.path: ["/opt/zeek/logs/current/conn.log"]
  dce_rpc:
    enabled: false
  dhcp:
    enabled: false
  dnp3:
    enabled: false
  dns:
    enabled: true
    var.path: ["/opt/zeek/logs/current/dns.log"]
  dpd:
    enabled: false
  files:
    enabled: true
    var.path: ["/opt/zeek/logs/current/files.log"]
  ftp:
    enabled: false
  http:
    enabled: true
    var.path: ["/opt/zeek/logs/current/http.log"]
  intel:
    enabled: false
  irc:
    enabled: false
  kerberos:
    enabled: false
  modbus:
    enabled: false
  mysql:
    enabled: false
  notice:
    enabled: true
    var.path: ["/opt/zeek/logs/current/notice.log"]
  ntp:
    enabled: true
    var.path: ["/opt/zeek/logs/current/ntp.log"]
  ntlm:
    enabled: false
  ocsp:
    enabled: false
  pe:
    enabled: false
  radius:
    enabled: false
  rdp:
    enabled: false
  rfb:
    enabled: false
  signature:
    enabled: false
  sip:
    enabled: false
  smb_cmd:
    enabled: false
  smb_files:
    enabled: false
  smb_mapping:
    enabled: false
  smtp:
    enabled: false
  snmp:
    enabled: false
  socks:
    enabled: false
  ssh:
    enabled: false
  ssl:
    enabled: true
    var.path: ["/opt/zeek/logs/current/ssl.log"]
  stats:
    enabled: true
    var.path: ["/opt/zeek/logs/current/stats.log"]
  syslog:
    enabled: false
  traceroute:
    enabled: false
  tunnel:
    enabled: false
  weird:
    enabled: true
    var.path: ["/opt/zeek/logs/current/weird.log"]
  x509:
    enabled: false

and the files are here and being updated
root@server-hapx-01:/opt/zeek/logs/current# ls -l

total 216
-rw-r--r-- 1 root zeek    420 Nov 14 08:58 capture_loss.log
-rw-r--r-- 1 root zeek  64529 Nov 14 08:58 conn.log
-rw-r--r-- 1 root zeek    175 Nov 14 08:31 dhcp.log
-rw-r--r-- 1 root zeek    800 Nov 14 08:58 notice.log
-rw-r--r-- 1 root zeek    270 Nov 14 08:34 ssl.log
-rw-r--r-- 1 root zeek   5828 Nov 14 08:57 stats.log
-rw-r--r-- 1 root zeek     21 Nov 11 19:27 stderr.log
-rw-r--r-- 1 root zeek    204 Nov 11 19:27 stdout.log
-rw-r--r-- 1 root zeek 109132 Nov 14 08:58 telemetry.log
-rw-r--r-- 1 root zeek    653 Nov 14 08:34 weird.log

I've looked in /var/log/syslog and the /var/log/filebeat/filebear-.ndjson log

And i can't see anything screaming at me, any suggestions on what i need to look for?

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

I mean the ones Filebeat creates, not reads. Usually /var/log/filebeat/filebeatlog.

Hi,
Here is the context of three of the files in that folder


root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-7.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:57:45.710Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:57:45.711Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}

root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-8.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:58:24.853Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:58:24.853Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}

root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-9.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:58:31.250Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:58:31.250Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}

Nothing is screaming at me to where the issue is, any suggestions please?

Is there a way to confirm the module is enabled, it might be in module.d but is there a way to confirm that in filebeat? (Just a thought)

filebeat modules list

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.