Filebeat (client) to SecurityOnion
ecoplan
I recently moved from an independent ELK stack to the SO ELK stack and I'm having trouble forwarding logs with filebeat to so-logstash.
I received this error (/var/log/logstash/logstash.log)
------------------------------------------------
[2018-04-03T23:10:51,817][INFO ][org.logstash.beats.BeatsHandler] [local: 172.17.0.5:5044, remote: 10.10.10.11:34062] Handling exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 1
------------------------------------------------
Here's my filebeat configuration file:
------------------------------------------------
filebeat:
prospectors:
-
paths:
- /var/log/auth.log
- /var/log/syslog
# - /var/log/*.log
input_type: log
document_type: syslog
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: ["10.10.10.20:5044"]
bulk_max_size: 1024
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MB
------------------------------------------------
Any help would be appreciated.
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
ecoplan
filebeat version 1.3.1 (amd64)
securityonion-14.04.5.9
Thanks!
Doug Burks
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
ecoplan
So yes, the filebeat version was really old. I updated to 6.2.3.
Now I'm receiving this error:
user@SecOnion:~$ tail -f /var/log/logstash/logstash.log
[2018-04-09T14:18:18,348][ERROR][logstash.filters.rest ] error in rest filter {:request=>[:get, "http://domainstats:20000/domain/creation_date/z.toronto", {}], :json=>false, :code=>nil, :body=>nil, :client_error=>#<Manticore::StreamClosedException: Could not read from stream: Read timed out>}
On Saturday, 7 April 2018 07:46:43 UTC-4, Doug Burks wrote:
> Hi ecoplan,
>
>
> Filebeat version 1.3.1 sounds old, have you tried the current version?
> https://www.elastic.co/downloads/beats/filebeat
>
>
>
> Did you run "sudo so-allow" to allow filebeat to connect through the firewall?
>
>
> On Thu, Apr 5, 2018 at 1:02 PM, ecoplan <eco...@gmail.com> wrote:
> Hi Wes,
>
>
>
> filebeat version 1.3.1 (amd64)
>
> securityonion-14.04.5.9
>
>
>
> Thanks!
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
Wes Lambert
Wes
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
ecoplan
1. Install SO
2. Setup (experimental)
3. soup
When I do "so-logstash-status" I always get this message:
* so-logstash -- Logstash has started, but is still initializing... [ WARN ]
A part of the logstash log is available as an attached file.
Thanks!
Wes Lambert
Thanks!
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
ecoplan
I tried it after 15 minutes after boot, I got the same message. I tried again (30 seconds after) and got a
* so-logstash [ OK ]
and then did the command again multiple times:
* so-logstash [ FAIL ]
* so-logstash [ FAIL ]
* so-logstash [ FAIL ]
...
The log shows:
[2018-04-15T16:12:16,158][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2018-04-15T16:12:16,361][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}
[2018-04-15T16:13:10,310][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {:pipeline_id=>"main", "exception"=>"undefined method `tr' for #<BigDecimal:4171d244,'0.8858E-2',4(8)>", <...>
[2018-04-15T16:13:10,717][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: org.jruby.exceptions.RaiseException: (SystemExit) exit
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
ecoplan
On Sunday, 15 April 2018 15:09:06 UTC-4, Wes wrote:
> You'll want to see:
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-RC4#logstash-failures
>
>
>
> Thanks,
> Wes
>
>
> On Sun, Apr 15, 2018 at 12:18 PM, ecoplan <eco...@gmail.com> wrote:
> Hi Wes,
>
> I tried it after 15 minutes after boot, I got the same message. I tried again (30 seconds after) and got a
>
>
>
> * so-logstash [ OK ]
>
>
>
> and then did the command again multiple times:
>
>
>
> * so-logstash [ FAIL ]
>
> * so-logstash [ FAIL ]
>
> * so-logstash [ FAIL ]
>
> ...
>
>
>
> The log shows:
>
> [2018-04-15T16:12:16,158][INFO ][org.logstash.beats.Server] Starting server on port: 5044
>
> [2018-04-15T16:12:16,361][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}
>
> [2018-04-15T16:13:10,310][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {:pipeline_id=>"main", "exception"=>"undefined method `tr' for #<BigDecimal:4171d244,'0.8858E-2',4(8)>", <...>
>
> [2018-04-15T16:13:10,717][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: org.jruby.exceptions.RaiseException: (SystemExit) exit
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.