Trying to integrate thirdparty filebeat module snort

[kunalhiremath]

I am trying to integrate thirdparty filebeat module snort in securityonion manager node and I have followed the steps mentioned here: https://docs.securityonion.net/en/2.3/filebeat.html#modules

but I am getting the following error:

ERROR:

local:
Data failed to compile:

Rendering SLS 'base:filebeat' failed: Jinja variable 'bool object' has no attribute 'get'                       

/var/cache/salt/minion/files/base/filebeat/modules.map.jinja(11):

[...]

{% set MODULESENABLED = [] %}
{% for module in MODULESMERGED.modules.keys() %}
{% set ENABLEDFILESETS = {} %}
{% for fileset in MODULESMERGED.modules[module] %}
{% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} <======================
{% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %}
{% endif %}
{% endfor %}
{% if ENABLEDFILESETS|length > 0 %}
{% do MODULESENABLED.append(ENABLEDFILESETS) %}
[...]

Can anyone help me solve it?

[cm-ops]

What does your Filebeat config look like?

[kunalhiremath]

I have not done any changes to my filebeat.yml I was following the steps mentioned in securityonion document.
But this is how it looks:

{%- if grains.role == 'so-heavynode' %}
{%- set MANAGER = salt'grains.get' %}
{%- else %}
{%- set MANAGER = salt'grains.get' %}
{%- endif %}
{%- set ES_USER = salt'pillar.get' %}
{%- set ES_PASS = salt'pillar.get' %}

{%- set HOSTNAME = salt'grains.get' %}
{%- set ZEEKVER = salt'pillar.get' %}
{%- set WAZUHENABLED = salt'pillar.get' %}
{%- set STRELKAENABLED = salt'pillar.get' %}
{%- set RITAENABLED = salt['pillar.get']('rita:enabled', False) -%}
{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
{%- set FBMEMEVENTS = salt['pillar.get']('filebeat:mem_events', 2048) -%}
{%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%}
{%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%}
{%- set FBLSBULKMAXSIZE = salt['pillar.get']('filebeat:ls_bulk_max_size', 2048) -%}
{%- set FBLOGGINGLEVEL = salt'pillar.get' -%}

name: {{ HOSTNAME }}

#================================ Logging ======================================

There are four options for the log output: file, stderr, syslog, eventlog

The file output is the default.

Sets log level. The default log level is info.

Available log levels are: error, warning, info, debug

logging.level: {{ FBLOGGINGLEVEL }}

Enable debug output for selected components. To enable all selectors use ["*"]

Other available selectors are "beat", "publish", "service"

Multiple selectors can be chained.

#logging.selectors: [ ]

Send all logging output to syslog. The default is false.

#logging.to_syslog: false

Send all logging output to Windows Event Logs. The default is false.

#logging.to_eventlog: false

If enabled, filebeat periodically logs its internal metrics that have changed

in the last period. For each metric that changed, the delta from the value at

the beginning of the period is logged. Also, the total values for

all non-zero internal metrics are logged on shutdown. The default is true.

#logging.metrics.enabled: true

The period after which to log the internal metrics. The default is 30s.

#logging.metrics.period: 30s

Logging to rotating files. Set logging.to_files to false to disable logging to

files.

logging.to_files: true
logging.files:

Configure the path where the logs are written. The default is the logs directory

under the home path (the binary location).

path: /usr/share/filebeat/logs

The name of the files where the logs are written to.

name: filebeat.log

Configure log file size limit. If limit is reached, log file will be

automatically rotated

rotateeverybytes: 10485760 # = 10MB

Rotate on startup

rotateonstartup: false

Number of rotated log files to keep. Oldest files will be deleted first.

keepfiles: 7

The permissions mask to apply when rotating log files. The default value is 0600.

Must be a valid Unix-style file permissions mask expressed in octal notation.

#permissions: 0600

Set to true to log messages in json format.

#logging.json: false

#========================== Modules configuration ============================
filebeat.config.modules:
enabled: true
path: ${path.config}/modules.d/*.yml

filebeat.modules:
#=========================== Filebeat prospectors =============================

List of prospectors to fetch data.

filebeat.inputs:
#------------------------------ Log prospector --------------------------------

• type: udp
  enabled: true
  host: "0.0.0.0:514"
  fields:
  module: syslog
  dataset: syslog
  pipeline: "syslog"
  index: "so-syslog"
  processors:

  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]
    fields_under_root: true

• type: tcp
  enabled: true
  host: "0.0.0.0:514"
  fields:
  module: syslog
  dataset: syslog
  pipeline: "syslog"
  index: "so-syslog"
  processors:

  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]
    fields_under_root: true

{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}

• type: filestream
  id: logscan
  paths:
  • /logs/logscan/alerts.log
    fields:
    module: logscan
    dataset: alert
    processors:
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]
    fields_under_root: true
    clean_removed: true
    close_removed: false
    {%- endif %}

{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %}
{%- if ZEEKVER != 'SURICATA' %}
{%- for LOGNAME in salt'pillar.get' %}

• type: filestream
  id: zeek-{{ LOGNAME }}
  paths:

  • /nsm/zeek/logs/current/{{ LOGNAME }}.log
    fields:
    module: zeek
    dataset: {{ LOGNAME }}
    category: network
    processors:
    {%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
  • add_tags:
    tags: ["ics"]
    {%- endif %}
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]

  fields_under_root: true
  clean_removed: true
  close_removed: false

• type: filestream
  id: import-zeek={{ LOGNAME }}
  paths:

  • /nsm/import//zeek/logs/{{ LOGNAME }}.log
    fields:
    module: zeek
    dataset: {{ LOGNAME }}
    category: network
    imported: true
    processors:
    {%- if LOGNAME is match('^bacnet|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
  • add_tags:
    tags: ["ics"]
    {%- endif %}
  • add_tags:
    tags: ["import"]
  • dissect:
    tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
    field: "log.file.path"
    target_prefix: ""
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]

  fields_under_root: true
  clean_removed: false
  close_removed: false
  {%- endfor %}
  {%- endif %}

• type: filestream
  id: suricata-eve
  paths:

  • /nsm/suricata/eve*.json
    fields:
    module: suricata
    dataset: common
    category: network

  processors:

  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]

  fields_under_root: true
  clean_removed: false
  close_removed: false

• type: filestream
  id: import-suricata
  paths:

  • /nsm/import//suricata/eve.json
    fields:
    module: suricata
    dataset: common
    category: network
    imported: true
    processors:
  • add_tags:
    tags: ["import"]
  • dissect:
    tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
    field: "log.file.path"
    target_prefix: ""
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]

  fields_under_root: true
  clean_removed: false
  close_removed: false
  {%- if STRELKAENABLED == 1 %}

• type: filestream
  id: strelka
  paths:

  • /nsm/strelka/log/strelka.log
    fields:
    module: strelka
    category: file
    dataset: file

  processors:

  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]

  fields_under_root: true
  clean_removed: false
  close_removed: false

  {%- endif %}
  {%- endif %}

{%- if WAZUHENABLED == 1 %}

• type: filestream
  id: wazuh
  paths:
  • /wazuh/archives/archives.json
    fields:
    module: ossec
    category: host
    processors:
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]
    pipeline: "ossec"
    fields_under_root: true
    clean_removed: false
    close_removed: false

{%- endif %}

{%- if FLEETMANAGER or FLEETNODE %}

• type: filestream
  id: osquery
  paths:

  • /nsm/osquery/fleet/result.log
    fields:
    module: osquery
    dataset: query_result
    category: host

  processors:

  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]

  fields_under_root: true
  clean_removed: false
  close_removed: false

{%- endif %}

{%- if RITAENABLED %}

• type: filestream
  id: rita-beacon
  paths:

  • /nsm/rita/beacons.csv
    exclude_lines: ['^Score', '^Source', '^Domain', '^No results']
    fields:
    module: rita
    dataset: beacon
    category: network
    processors:
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]
    fields_under_root: true
    pipeline: "rita.beacon"
    index: "so-rita"

• type: filestream
  id: rita-connection
  paths:

  • /nsm/rita/long-connections.csv
  • /nsm/rita/open-connections.csv
    exclude_lines: ['^Source', '^No results']
    fields:
    module: rita
    dataset: connection
    category: network
    processors:
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]
    fields_under_root: true
    pipeline: "rita.connection"
    index: "so-rita"

• type: filestream
  id: rita-dns
  paths:

  • /nsm/rita/exploded-dns.csv
    exclude_lines: ['^Domain', '^No results']
    fields:
    module: rita
    dataset: dns
    category: network
    processors:
  • drop_fields:
    fields: ["source", "prospector", "input", "offset", "beat"]
    fields_under_root: true
    pipeline: "rita.dns"
    index: "so-rita"
    {%- endif %}

{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}

• type: filestream
  id: kratos
  paths:
  • /logs/kratos/kratos.log
    fields:
    module: kratos
    category: host
    processors:
  • decode_json_fields:
    fields: ["message"]
    target: ""
    add_error_key: true
  • rename:
    fields:
    - from: "audience"
    to: "event.dataset"
    ignore_missing: true
  • add_fields:
    when:
    not:
    has_fields: ['event.dataset']
    target: ''
    fields:
    event.dataset: access
    pipeline: "kratos"
    fields_under_root: true
    clean_removed: false
    close_removed: false
    {%- endif %}

{%- if grains.role == 'so-idh' %}

• type: filestream
  id: idh
  paths:
  • /nsm/idh/opencanary.log
    fields:
    module: opencanary
    dataset: idh
    category: host
    tags: beat-ext
    processors:
  • decode_json_fields:
    fields: ["message"]
    target: ""
    add_error_key: true
  • drop_fields:
    when:
    equals:
    logtype: 1001
    fields: ["src_host", "src_port", "dst_host", "dst_port" ]
    ignore_missing: true
  • rename:
    fields:
    - from: "src_host"
    to: "source.ip"
    - from: "src_port"
    to: "source.port"
    - from: "dst_host"
    to: "destination.host"
    - from: "dst_port"
    to: "destination.port"
    ignore_missing: true
  • convert:
    fields:
    - {from: "logtype", to: "event.code", type: "string"}
    ignore_missing: true
  • drop_fields:
    fields: '["prospector", "input", "offset", "beat"]'
    fields_under_root: true
    clean_removed: false
    close_removed: false
    {%- endif %}

{%- if INPUTS %}

USER PILLAR DEFINED INPUTS

{{ INPUTS | yaml(False) }}
{%- endif %}

{% if OUTPUT -%}

USER PILLAR DEFINED OUTPUT

{%- set types = OUTPUT.keys() | list %}
{%- set type = types[0] %}
output.{{ type }}:
{%- for i in OUTPUT[type].items() %}
{{ i[0] }}: {{ i[1]}}
{%- endfor %}
{%- else %}
#----------------------------- Elasticsearch/Logstash output ---------------------------------
{%- if grains['role'] in ["so-eval", "so-import"] %}
output.elasticsearch:
enabled: true
hosts: ["https://{{ MANAGER }}:9200"]
{%- if salt'pillar.get' is sameas true %}
username: "{{ ES_USER }}"
password: "{{ ES_PASS }}"
{%- endif %}
ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
pipelines:
- pipeline: "%{[module]}.%{[dataset]}"
indices:
- index: "so-import"
when.contains:
tags: "import"
- index: "so-zeek"
when.contains:
module: "zeek"
- index: "so-ids"
when.contains:
module: "suricata"
- index: "so-ossec"
when.contains:
module: "ossec"
- index: "so-osquery"
when.contains:
module: "osquery"
- index: "so-strelka"
when.contains:
module: "strelka"
- index: "so-logscan"
when.contains:
module: "logscan"
- index: "so-elasticsearch-%{+YYYY.MM.dd}"
when.contains:
event.module: "elasticsearch"
- index: "so-kibana-%{+YYYY.MM.dd}"
when.contains:
event.module: "kibana"

setup.template.enabled: false
{%- else %}

output.logstash:

Boolean flag to enable or disable the output module.

enabled: true

The Logstash hosts

hosts:
{# dont let filebeat send to a node designated as dmz #}
{% import_yaml 'logstash/dmz_nodes.yaml' as dmz_nodes -%}
{% if dmz_nodes.logstash.dmz_nodes -%}
{% set dmz_nodes = dmz_nodes.logstash.dmz_nodes -%}
{% else -%}
{% set dmz_nodes = [] -%}
{% endif -%}
{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %}
{%- set LOGSTASH = namespace() %}
{%- set LOGSTASH.count = 0 %}
{%- set LOGSTASH.loadbalance = false %}
{%- set node_data = salt'pillar.get' %}
{%- for node_type, node_details in node_data.items() | sort -%}
{%- if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %}
{%- for hostname in node_data[node_type].keys() %}
{%- if hostname not in dmz_nodes %}
{%- set LOGSTASH.count = LOGSTASH.count + 1 %}
- "{{ hostname }}:5644" #{{ node_details[hostname].ip }}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- if LOGSTASH.count > 1 %}
{%- set LOGSTASH.loadbalance = true %}
{%- endif %}
{%- endfor %}

loadbalance: {{ LOGSTASH.loadbalance | lower }}
{%- else %}
- "{{ grains.host }}:5644"
{%- endif %}

Number of workers per Logstash host.

worker: {{ FBLSWORKERS }}

Number of records to send to Logstash input at a time

bulk_max_size: {{ FBLSBULKMAXSIZE }}

Set gzip compression level.

#compression_level: 3

Enable SSL support. SSL is automatically enabled, if any SSL setting is set.

#ssl.enabled: true

Configure SSL verification mode. If none is configured, all server hosts

and certificates will be accepted. In this mode, SSL based connections are

susceptible to man-in-the-middle attacks. Use only for testing. Default is

full.

ssl.verification_mode: full

List of supported/valid TLS versions. By default all TLS versions 1.0 up to

1.2 are enabled.

ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

Optional SSL configuration options. SSL is off by default.

List of root certificates for HTTPS server verifications

ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]

Certificate for SSL client authentication

ssl.certificate: "/usr/share/filebeat/filebeat.crt"

Client Certificate Key

ssl.key: "/usr/share/filebeat/filebeat.key"

setup.template.enabled: false

[cm-ops]

Looking more for you pillar entry in your global.sls or minion.sls file. Would be similar to what is in the RTDs (example below):

filebeat:
  third_party_filebeat:
    modules:
      fortinet:
        firewall:
          enabled: true
          var.input: udp
          var.syslog_host: 0.0.0.0
          var.syslog_port: 9004

[kunalhiremath]

This is the code that I appended in global.sls file

filebeat:
third_party_filebeat:
modules:
snort:
enabled: true
var.input: /var/log/snort/alert_fast.txt
var.syslog_host: 0.0.0.0
var.syslog_port: 9004

[cm-ops]

How are you planning to read? From a file?

[cm-ops]

Try this config:

filebeat:
  third_party_filebeat:
    modules:
      snort:
        log:
          enabled: true
          var.input: '/var/log/snort/alert_fast.txt'
          var.syslog_host: 0.0.0.0
          var.syslog_port: 9004

Looking at the module in the container, you can see the log directory.

[kunalhiremath]

Sure I will try it.

[kunalhiremath]

When I am adding the below config I am getting an error

filebeat:
third_party_filebeat:
modules:
snort:
log:
enabled: true
var.input: '/var/log/snort/alert_fast.txt'
var.syslog_host: 0.0.0.0
var.syslog_port: 9004

ERROR:
so-filebeat ---------------------------------------------------------------------------------- [ ERROR ]

I am appending the above config to my global.sls file

[cm-ops]

Is there an error in the minion log? /opt/so/log/salt/minion

If you run salt-call state.apply filebeat -l info do you see an error in the output?

[kunalhiremath]

No there is no error in minion and when I execute salt-call state.apply filebeat -l info I get following info( I have pasted just a part of info)

[INFO ] Loading fresh modules for state activity
[INFO ] Running state [/etc/pki/issued_certs] at time 08:55:14.505868
[INFO ] Executing state file.directory for [/etc/pki/issued_certs]
[INFO ] The directory /etc/pki/issued_certs is in the correct state
[INFO ] Completed state [/etc/pki/issued_certs] at time 08:55:14.508022 (duration_in_ms=2.155)
[INFO ] Running state [/etc/ssl/certs/intca.crt] at time 08:55:14.515849
[INFO ] Executing state x509.pem_managed for [/etc/ssl/certs/intca.crt]
[INFO ] File /etc/ssl/certs/intca.crt is in the correct state
[INFO ] Completed state [/etc/ssl/certs/intca.crt] at time 08:55:14.533706 (duration_in_ms=17.858)
[INFO ] Running state [m2cryptopkgs] at time 08:55:16.633524
[INFO ] Executing state pkg.installed for [m2cryptopkgs]
[INFO ] Executing command dpkg-query in directory '/root'
[INFO ] All specified packages are already installed
[INFO ] Completed state [m2cryptopkgs] at time 08:55:16.859980 (duration_in_ms=226.455)
[INFO ] Running state [/etc/pki/filebeat.crt] at time 08:55:16.860632
[INFO ] Executing state file.absent for [/etc/pki/filebeat.crt]
[INFO ] Executing command git in directory '/root'
[INFO ] Executing command 'test' in directory '/root'
[INFO ] ['onlyif condition is false']
[INFO ] Completed state [/etc/pki/filebeat.crt] at time 08:55:17.682292 (duration_in_ms=821.65)
[INFO ] Running state [/etc/pki/filebeat.p8] at time 08:55:17.683268
[INFO ] Executing state file.absent for [/etc/pki/filebeat.p8]
[INFO ] Executing command 'test' in directory '/root'
[INFO ] ['onlyif condition is false']
[INFO ] Completed state [/etc/pki/filebeat.p8] at time 08:55:17.712157 (duration_in_ms=28.889)
[INFO ] Running state [/etc/pki/elasticsearch.p12] at time 08:55:17.712954
[INFO ] Executing state file.absent for [/etc/pki/elasticsearch.p12]
[INFO ] Executing command 'test' in directory '/root'
[INFO ] ['onlyif condition is false']
[INFO ] Completed state [/etc/pki/elasticsearch.p12] at time 08:55:17.742148 (duration_in_ms=29.193)
[INFO ] Running state [/etc/pki/influxdb.crt] at time 08:55:17.744553
[INFO ] Executing command 'enddate=$(date' in directory '/root'
[INFO ] Running state [/etc/pki/influxdb.crt] at time 08:55:17.786632
[INFO ] Executing state x509.certificate_managed for [/etc/pki/influxdb.crt]
[INFO ] Executing command 'enddate=$(date' in directory '/root'
[INFO ] ['unless condition is true']
[INFO ] Completed state [/etc/pki/influxdb.crt] at time 08:55:17.829809 (duration_in_ms=43.177)
[INFO ] Running state [/etc/pki/influxdb.key] at time 08:55:17.831683
[INFO ] Executing state file.managed for [/etc/pki/influxdb.key]
[INFO ] File /etc/pki/influxdb.key exists with proper permissions. No changes made.
[INFO ] Completed state [/etc/pki/influxdb.key] at time 08:55:17.837481 (duration_in_ms=5.74)
[INFO ] Running state [/opt/so/conf/filebeat/etc/pki] at time 08:55:17.837919
[INFO ] Executing state file.directory for [/opt/so/conf/filebeat/etc/pki]
[INFO ] The directory /opt/so/conf/filebeat/etc/pki is in the correct state
[INFO ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 08:55:17.840538 (duration_in_ms=2.619)
[INFO ] Running state [/opt/so/conf/filebeat/etc/pki/filebeat.crt] at time 08:55:17.842229
[INFO ] Executing command 'enddate=$(date' in directory '/root'
[INFO ] Running state [/opt/so/conf/filebeat/etc/pki/filebeat.crt] at time 08:55:17.889191
[INFO ] Executing state x509.certificate_managed for [/opt/so/conf/filebeat/etc/pki/filebeat.crt]
[INFO ] Executing command 'enddate=$(date' in directory '/root'
[INFO ] ['unless condition is true']
[INFO ] Completed state [/opt/so/conf/filebeat/etc/pki/filebeat.crt] at time 08:55:17.933646 (duration_in_ms=44.454)
[INFO ] Running state [/opt/so/conf/filebeat/etc/pki/filebeat.key] at time 08:55:17.935824
[INFO ] Executing state file.managed for [/opt/so/conf/filebeat/etc/pki/filebeat.key]
[INFO ] File /opt/so/conf/filebeat/etc/pki/filebeat.key exists with proper permissions. No changes made.
[INFO ] Completed state [/opt/so/conf/filebeat/etc/pki/filebeat.key] at time 08:55:17.941195 (duration_in_ms=5.371)
[INFO ] Running state [/opt/so/conf/filebeat/etc/pki/filebeat.p8] at time 08:55:17.941488
[INFO ] Executing state file.managed for [/opt/so/conf/filebeat/etc/pki/filebeat.p8]
[INFO ] File /opt/so/conf/filebeat/etc/pki/filebeat.p8 exists with proper permissions. No changes made.
[INFO ] Completed state [/opt/so/conf/filebeat/etc/pki/filebeat.p8] at time 08:55:17.948636 (duration_in_ms=7.148)
[INFO ] Running state [/opt/so/conf/filebeat/etc] at time 08:55:17.948951
[INFO ] Executing state file.directory for [/opt/so/conf/filebeat/etc]
[INFO ] The directory /opt/so/conf/filebeat/etc is in the correct state
[INFO ] Completed state [/opt/so/conf/filebeat/etc] at time 08:55:17.950969 (duration_in_ms=2.018)
[INFO ] Running state [/opt/so/conf/filebeat/modules] at time 08:55:17.951271
[INFO ] Executing state file.directory for [/opt/so/conf/filebeat/modules]
[INFO ] The directory /opt/so/conf/filebeat/modules is in the correct state
[INFO ] Completed state [/opt/so/conf/filebeat/modules] at time 08:55:17.953586 (duration_in_ms=2.314)
[INFO ] Running state [/opt/so/log/filebeat] at time 08:55:17.953855
[INFO ] Executing state file.directory for [/opt/so/log/filebeat]
[INFO ] The directory /opt/so/log/filebeat is in the correct state
[INFO ] Completed state [/opt/so/log/filebeat] at time 08:55:17.955697 (duration_in_ms=1.842)
[INFO ] Running state [/opt/so/conf/filebeat/etc/pki] at time 08:55:17.956071
[INFO ] Executing state file.directory for [/opt/so/conf/filebeat/etc/pki]
[INFO ] The directory /opt/so/conf/filebeat/etc/pki is in the correct state
[INFO ] Completed state [/opt/so/conf/filebeat/etc/pki] at time 08:55:17.958820 (duration_in_ms=2.749)
[INFO ] Running state [/opt/so/conf/filebeat/registry] at time 08:55:17.959165
[INFO ] Executing state file.directory for [/opt/so/conf/filebeat/registry]
[INFO ] The directory /opt/so/conf/filebeat/registry is in the correct state
[INFO ] Completed state [/opt/so/conf/filebeat/registry] at time 08:55:17.961481 (duration_in_ms=2.316)
[INFO ] Running state [/opt/so/conf/filebeat/etc/filebeat.yml] at time 08:55:17.961807
[INFO ] Executing state file.managed for [/opt/so/conf/filebeat/etc/filebeat.yml]
[INFO ] File /opt/so/conf/filebeat/etc/filebeat.yml is in the correct state
[INFO ] Completed state [/opt/so/conf/filebeat/etc/filebeat.yml] at time 08:55:18.063169 (duration_in_ms=101.353)

No error here also

[cm-ops]

What is the architecture? Is this a standalone node? What are the resources on the server (RAM, CPU, etc.)?

[cm-ops]

You might want to make sure that path is mounted in the container. Having said that, you might be able to make Snort work on the sensor, but we do not support using Snort, only Suricata.

[kunalhiremath]

Will you please elaborate. Should I include the path in init.sls of filebeat?

[cm-ops]

Yes, if you want to add a volume bind.

[kunalhiremath]

I added a volume bind in init.sls file of filebeat, but it is showing the same error. Filebeat is not starting.
I added this path under Volume binds:
/var/log/snort/:var/log/snort

[kunalhiremath]

I have installed snort3 on sensor node, how to configure filebeat on sensor node to pick the snort logs and send it to logstash on manager node. Give me an idea or a flow.

[cm-ops]

Going back to my statement above, we support Suricata, not Snort. If Filebeat is not starting, I would look at the logs, both Filebeat and Docker to see why. Also, make sure the module config is correct with the correct YAML formatting.