Zeek monitoring using filebeats

Elastic Stack Beats
1

Hi,
I'm using filebeats to monitor or try to monitor zeek.
But I can't see any of the zeek files content in elastic, I've also enabled the system module and that burst straight into life.
So I know the module config is good.

Any suggestions on how I fault find this?
I can't find any logs directing me to where the issue may be.
Thanks all.

2

Are you using the module?
What do the Filebeat logs show?

3

Hi,
Yes i'm using the zeek module.
The files looks like this

# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-zeek.html

- module: zeek
  capture_loss:
    enabled: true
    var.path: ["/opt/zeek/logs/current/capture_loss.log"]
  connection:
    enabled: true
    var.path: ["/opt/zeek/logs/current/conn.log"]
  dce_rpc:
    enabled: false
  dhcp:
    enabled: false
  dnp3:
    enabled: false
  dns:
    enabled: true
    var.path: ["/opt/zeek/logs/current/dns.log"]
  dpd:
    enabled: false
  files:
    enabled: true
    var.path: ["/opt/zeek/logs/current/files.log"]
  ftp:
    enabled: false
  http:
    enabled: true
    var.path: ["/opt/zeek/logs/current/http.log"]
  intel:
    enabled: false
  irc:
    enabled: false
  kerberos:
    enabled: false
  modbus:
    enabled: false
  mysql:
    enabled: false
  notice:
    enabled: true
    var.path: ["/opt/zeek/logs/current/notice.log"]
  ntp:
    enabled: true
    var.path: ["/opt/zeek/logs/current/ntp.log"]
  ntlm:
    enabled: false
  ocsp:
    enabled: false
  pe:
    enabled: false
  radius:
    enabled: false
  rdp:
    enabled: false
  rfb:
    enabled: false
  signature:
    enabled: false
  sip:
    enabled: false
  smb_cmd:
    enabled: false
  smb_files:
    enabled: false
  smb_mapping:
    enabled: false
  smtp:
    enabled: false
  snmp:
    enabled: false
  socks:
    enabled: false
  ssh:
    enabled: false
  ssl:
    enabled: true
    var.path: ["/opt/zeek/logs/current/ssl.log"]
  stats:
    enabled: true
    var.path: ["/opt/zeek/logs/current/stats.log"]
  syslog:
    enabled: false
  traceroute:
    enabled: false
  tunnel:
    enabled: false
  weird:
    enabled: true
    var.path: ["/opt/zeek/logs/current/weird.log"]
  x509:
    enabled: false

and the files are here and being updated
root@server-hapx-01:/opt/zeek/logs/current# ls -l

total 216
-rw-r--r-- 1 root zeek    420 Nov 14 08:58 capture_loss.log
-rw-r--r-- 1 root zeek  64529 Nov 14 08:58 conn.log
-rw-r--r-- 1 root zeek    175 Nov 14 08:31 dhcp.log
-rw-r--r-- 1 root zeek    800 Nov 14 08:58 notice.log
-rw-r--r-- 1 root zeek    270 Nov 14 08:34 ssl.log
-rw-r--r-- 1 root zeek   5828 Nov 14 08:57 stats.log
-rw-r--r-- 1 root zeek     21 Nov 11 19:27 stderr.log
-rw-r--r-- 1 root zeek    204 Nov 11 19:27 stdout.log
-rw-r--r-- 1 root zeek 109132 Nov 14 08:58 telemetry.log
-rw-r--r-- 1 root zeek    653 Nov 14 08:34 weird.log

I've looked in /var/log/syslog and the /var/log/filebeat/filebear-.ndjson log

And i can't see anything screaming at me, any suggestions on what i need to look for?

4

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

I mean the ones Filebeat creates, not reads. Usually /var/log/filebeat/filebeatlog.

5

Hi,
Here is the context of three of the files in that folder


root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-7.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:57:45.710Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:57:45.711Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}

root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-8.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:58:24.853Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:58:24.853Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}

root@server-hapx-01:/var/log/filebeat# cat filebeat-20221111-9.ndjson
{"log.level":"info","@timestamp":"2022-11-11T19:58:31.250Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-11-11T19:58:31.250Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: a483274e-24a2-4920-bce7-ee093d4921fc","service.name":"filebeat","ecs.version":"1.6.0"}

Nothing is screaming at me to where the issue is, any suggestions please?

6

Is there a way to confirm the module is enabled, it might be in module.d but is there a way to confirm that in filebeat? (Just a thought)

7

filebeat modules list

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.