diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 733f5f36604..bb43651ab8c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -351,6 +351,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve error handling in aws-s3 input for malformed s3 notifications. {issue}28828[28828] {pull}28946[28946] - Add support for parsers on journald input {pull}29070[29070] - Add support in httpjson input for oAuth2ProviderDefault of password grant_type. {pull}29087[29087] +- Update Cisco module to enable TCP input. {issue}26118[26118] {issue}28821[28821] {pull}26159[26159] *Heartbeat* diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index fae9d78fb5d..bfc00932295 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -625,16 +625,23 @@ filebeat.modules: asa: enabled: false - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between udp (default), tcp or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to udp or tcp syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9001. + # The port to listen for udp or tcp syslog traffic. Defaults to 9001. #var.syslog_port: 9001 + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + # Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html @@ -651,16 +658,23 @@ filebeat.modules: ftd: enabled: false - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between udp (default), tcp or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to tcp or udp syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9003. + # The UDP port to listen for tcp or udp syslog traffic. Defaults to 9003. #var.syslog_port: 9003 + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + # Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html @@ -680,13 +694,16 @@ filebeat.modules: # Set which input to use between syslog (default) or file. #var.input: syslog - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9002. + # The port to listen on for syslog traffic. Defaults to 9002. #var.syslog_port: 9002 + # Set which protocol to use between udp (default) or tcp. + #var.syslog_protocol: udp + # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 3fd735c050d..1b2940129bf 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -2,16 +2,23 @@ asa: enabled: false - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between udp (default), tcp or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to udp or tcp syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9001. + # The port to listen for udp or tcp syslog traffic. Defaults to 9001. #var.syslog_port: 9001 + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + # Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html @@ -28,16 +35,23 @@ ftd: enabled: false - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between udp (default), tcp or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to tcp or udp syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9003. + # The UDP port to listen for tcp or udp syslog traffic. Defaults to 9003. #var.syslog_port: 9003 + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + # Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html @@ -57,13 +71,16 @@ # Set which input to use between syslog (default) or file. #var.input: syslog - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9002. + # The port to listen on for syslog traffic. Defaults to 9002. #var.syslog_port: 9002 + # Set which protocol to use between udp (default) or tcp. + #var.syslog_protocol: udp + # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 4237b4d9ae2..cb9df5bd6ec 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -1,10 +1,4 @@ -{{ if eq .input "syslog" }} - -type: udp -udp: -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ else if eq .input "file" }} +{{ if eq .input "file" }} type: log paths: @@ -13,6 +7,12 @@ paths: {{ end }} exclude_files: [".gz$"] +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" +ssl: {{ .ssl | tojson }} + {{ end }} tags: {{.tags | tojson}} diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml index 3c185f7980c..184df5404ad 100644 --- a/x-pack/filebeat/module/cisco/asa/manifest.yml +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -11,7 +11,8 @@ var: - name: syslog_port default: 9001 - name: input - default: syslog + default: udp + - name: ssl - name: log_level default: 7 # if ES < 6.1.0, this flag switches to false automatically when evaluating the diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index b29aa4c725f..cb9df5bd6ec 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -1,9 +1,4 @@ -{{ if eq .input "syslog" }} - -type: udp -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ else if eq .input "file" }} +{{ if eq .input "file" }} type: log paths: @@ -12,6 +7,12 @@ paths: {{ end }} exclude_files: [".gz$"] +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" +ssl: {{ .ssl | tojson }} + {{ end }} tags: {{.tags | tojson}} diff --git a/x-pack/filebeat/module/cisco/ftd/manifest.yml b/x-pack/filebeat/module/cisco/ftd/manifest.yml index 31eb9659a6b..d681ff4d323 100644 --- a/x-pack/filebeat/module/cisco/ftd/manifest.yml +++ b/x-pack/filebeat/module/cisco/ftd/manifest.yml @@ -11,7 +11,8 @@ var: - name: syslog_port default: 9003 - name: input - default: syslog + default: udp + - name: ssl - name: log_level default: 7 # if ES < 6.1.0, this flag switches to false automatically when evaluating the diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index d911aa3ed9e..979f9cf380b 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -1,10 +1,4 @@ -{{ if eq .input "syslog" }} - -type: syslog -protocol.udp: - host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ else if eq .input "file" }} +{{ if eq .input "file" }} type: log paths: @@ -13,6 +7,12 @@ paths: {{ end }} exclude_files: [".gz$"] +{{ else if eq .input "syslog" }} + +type: syslog +protocol.{{.syslog_protocol}}: + host: "{{.syslog_host}}:{{.syslog_port}}" + {{ end }} tags: {{.tags | tojson}} diff --git a/x-pack/filebeat/module/cisco/ios/manifest.yml b/x-pack/filebeat/module/cisco/ios/manifest.yml index e67f5c2f729..169e909fd89 100644 --- a/x-pack/filebeat/module/cisco/ios/manifest.yml +++ b/x-pack/filebeat/module/cisco/ios/manifest.yml @@ -10,6 +10,8 @@ var: default: localhost - name: syslog_port default: 9002 + - name: syslog_protocol + default: udp - name: input default: syslog diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 3ad2d76a875..2d267c68a69 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -5,16 +5,23 @@ asa: enabled: false - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between udp (default), tcp or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to udp or tcp syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9001. + # The port to listen for udp or tcp syslog traffic. Defaults to 9001. #var.syslog_port: 9001 + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + # Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html @@ -31,16 +38,23 @@ ftd: enabled: false - # Set which input to use between syslog (default) or file. - #var.input: syslog + # Set which input to use between udp (default), tcp or file. + #var.input: udp - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to tcp or udp syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9003. + # The UDP port to listen for tcp or udp syslog traffic. Defaults to 9003. #var.syslog_port: 9003 + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + # Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html @@ -60,13 +74,16 @@ # Set which input to use between syslog (default) or file. #var.input: syslog - # The interface to listen to UDP based syslog traffic. Defaults to + # The interface to listen to syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost - # The UDP port to listen for syslog traffic. Defaults to 9002. + # The port to listen on for syslog traffic. Defaults to 9002. #var.syslog_port: 9002 + # Set which protocol to use between udp (default) or tcp. + #var.syslog_protocol: udp + # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: