This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosXG elasticsearch filebeat module not importing fields

www.elastic.co/.../filebeat-module-sophos.html

I am trying to use the sophos module that you seems to have contributed in elk stack. I followed the documentation at www.elastic.co/.../filebeat-module-sophos.html and was able to get the data into ES. issue is I cannot see the fields in the message. All data is inside a field called message.

In high level I am using Filebeat Sophos-xg module, logstash and ES. I did enable sophos module, uploaded the template with command "filebeat setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601" and I am getting the data, without data being split into fields. I am not an ELK expert, but only reason why I am using is to view my SophosXG. Where things can go wrong? Any troubleshooting steps please?

StefanS Seems to be the contributor to this module. Can you are anyone else help?

This thread was automatically locked due to age.

0 Samy Wee over 3 years ago

I found answer by posting in elastic search community. It is working without logstash, if required to use logstash, follow the solution given in this thread.

https://discuss.elastic.co/t/es-7-15-filebeats-sophos-xg-module-not-separating-data-into-variables/288577

Now I get the data into elastic stack with separated fields.

If anyone want a tutorial on what I did to get to this stage ; here is what I followed, hope it helps ;

Followed this to install ELK on Ubuntu ;

https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-18-04

After it is working ; modify configuration Filebeat to directly send output to Elasticstack ;

/etc/filebeat/filebeat.yml - enable following output and disable logstash output

output.elasticsearch:

hosts: ["localhost:9200"]

ENABLE SOPHOS MODULE : filebeat modules enable sophos

EDIT : /etc/filebeat/modules.d/sophos.yml file and configure for sophos - xg

In sophos-xg configure to send logs syslog to port 9005 / udp / "Central Reporting Format"

Restart filebeat ; no longer need logstash - so probably can stop logstash. Need ElasticSearch / Kibana / Filebeat services running;

That should be it.

(Note : I did not get any dashboards with the modules.)
Cancel
Vote Up 0 Vote Down

Cancel
0 Samy Wee over 3 years ago in reply to Samy Wee

StefanS I think you have written this filebeat-sophos module. I do not see fields are getting ingested as numeric for fields like bytes_sent, instead they are string fields. How to trouble-shoot. I am using ES 7.15.1 and Sophos 18.5.1. If you can give some guidance please.
Cancel
Vote Up 0 Vote Down

Cancel