Filebeat Iptables/Ubiquiti Integration with Kibana

[cchuey]

Hi everyone. I am (unsuccessfully) attempting to use the filebeat iptables module in Kibana. I configured my firewall to forward iptables syslog logs (tcp 514) to SecurityOnion 2.3. I also configured rsyslog to save remote iptables logs in a file in /var/log/. I would like to monitor firewall events using the awesome Filebeat Iptables dashboard/template in Kibana (see below)

Are there steps on how to configure SecurityOnion 2.3.30 (in Standalone mode on CentOS) to use Filebeat iptables module for Kibana (or any of the modules)? SecurityOnion 2.3 ELK stack is very specialized with the salt pillars and the standard information on the internet does not align with SecurityOnion.

Any suggestions or guidance would be greatly appreciated,

Cchuey

[cchuey]

Create a custom dashboard for iptables logs in index :so-

[mtnsec]

Hi cchuey! Can you elaborate a little bit more on your answer? I have my unifi logs being sent to SO over syslog, but I don't have an ingest pipeline that can extract the fields. I was hoping enabling Features, and the filebeat iptables module would import the pre-built ingest but that's failing. Where did you get your ingest parser? Did you have to create it yourself?

[MrLasVegasSTL]

I was able to get the dashboards imported to SO correctly, but I am having trouble getting SO to ingest the logs and create a index. I think this configuration is %95 of the way there, maybe someone can help me polish this off..

Here is what I tried..

I translated the same documentation SO provided from their netflow video (https://www.youtube.com/watch?v=ew5gtVjAs7g) to the iptables module of filebeat.

Here is that generic configuration..

Update docker and the filebeat module

vi /opt/so/saltstack/local/pillar/minions/onion_standalone.sls

filebeat:
  third_party_filebeat:
    modules:
      iptables:
        log:
          enabled: true
          var.syslog_host: 0.0.0.0
          var.syslog_port: 9001

cp /opt/so/saltstack/default/salt/filebeat/init.sls /opt/so/saltstack/local/salt/filebeat/

chown socore:socore /opt/so/saltstack/local/salt/filebeat/init.sls

vi /opt/so/saltstack/local/salt/filebeat/init.sls

- port_bindings:
    - 0.0.0.0:9001:9001/udp

salt-call state.apply filebeat

Update Firewall

so-firewall addhostgroup iptables
so-firewall addportgroup iptables
so-firewall includehost iptables 10.0.0.0/8
so-firewall addport iptables udp 9001

vi /opt/so/saltstack/local/pillar/minions/onion_standalone.sls

firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
        hostgroups:
          iptables:
            portgroups:
              - portgroups.iptables
      INPUT:
        hostgroups:
          iptables:
            portgroups:
              - portgroups.iptables

salt-call state.apply firewall

Generate logstash pipelines to ingest iptables.

This is where I am stuck at, it Errors "Exiting: module iptables is configured but has no enabled filesets"

docker exec -i so-filebeat filebeat setup modules -pipelines -modules iptables -c /usr/share/filebeat/module-setup.yml

so-filebeat-restart

To import the dashboards, I exported the iptables objects from a elasticsearch/kibana setup, and in the json file changes filebeat-* to so-*.

Attached below, save it as .ndjson and import it to SO Kibana saved objects.
iptables.txt

[MrLasVegasSTL]

#8481

This article helped get this working, the trick was to create this file and use it instead. https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/salt/filebeat/thirdpartydefaults.yaml

/opt/so/saltstack/local/salt/filebeat/thirdpartydefaults.yaml