Filebeat Modules

[ketchup57]

Can we get better documentation on enable Filebeat Modules like Cisco modules.
I've got netflow to work and trying to just enable the cisco modules and hopefully allow it work with the generic syslog udp 514.

I can mimic the netflow and or other modules used in the example but the modules for cisco is configured but has no enabled filesets.

Reading searching these dicussions for modules all leads to something similar but have not found a working solution.

Please note that I'm just using this as a test bed next to another siem solution to compare differences. I don't fully understand how using salt to manage configs for the docker containers and verifying the troubleshooting steps unless they are spelled out in the discussions.

[ketchup57]

Sorry for being a noob, just trying to understand. Is it possible to have a module parse the syslog messages coming in?

Or does it have to come in on a separate port for it to work correctly?

[cm-ops]

What does you cisco filebeat pillar look like?

When setting up the module, I usually use the default ports in https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-cisco.html

[ketchup57]

What I'm wondering is it possible to configure modules to read from the standard port 514 and the log assocaited with it.
For example, in our current environment we have the solar-winds suite with everything logging over like 514 which on there depending on the facility code we use thats how we tie in the modules for Cisco ngfw/ftd/asa's.
Is it possible to have the modules read from the generic syslog file? Then what would that file be if possible?

[cm-ops]

Port 514 is already set for syslog, you can't also set a module to 514 the service will error as that port is already a port bind.

You can see that setting in the filebeat.yml or by checking the container docker ps | grep filebeat