For some reason, my old setup on Windows DCs of winpcap → PacketBeat → Graylog stopped working. Probably because of something on the windows server side. npcap → packetbeat → graylog kinda worked but not for both servers, and almost no requests were being captured, mostly just responses.
So I decided to try FileBeat. I am already logging windows DNS to a file due to an MSSP integration.
So I have FileBeat 7.5.1 looking at the dns text files on each DC.
filebeat.inputs:
- type: log
paths:
- C:\Windows\System32\dns\dns.log
output.logstash:
hosts: [“ip:port”]
SOME kinda data is clearly making it to Graylog from both windows DCs. I chose the (non deprecated) Beats input.
But no data is being indexed. Under “show received messages” there is nothing found.
I tried a tcp raw input to see if perhaps the data was just coming in an unexpected format that couldn’t be parsed and the resulting “message” fields looks like this:
���ghOv��Z)6ݫ�[���\L���-Bv�!�9���s��vq�Pj{�I ��[�j�B�=�VZ,j�)���pjz��Tc�AB>C@�m� ��q���&�JyΧ�6x!_�o#���n� ���E�+h���s���{�8M!��Ժr���(v�� 7��!�z���!/�C��e�u=�{��~��ǡB�o�+��ʩ�uVT�>.�U�@��"T���#��N�����QN4��’�4�o�m�y�+\ ��[�r
So my questions:
Is this what beats data should look like if viewed “raw?”
Should Graylog be able to parse this?
Is there something special that needs to be done on the FileBeats side to make it Beats/Graylog palatable?
Is this more of a FileBeats question?
Well… actually. I don’t think that’s it. Sidecar shouldn’t matter. Filebeat IS ingesting something, but is sending a pretty harsh solid binary tcp stream.
I’m not running tls on this, but this is what tcpdump shows coming FROM filebeat.
Is this the expected output of packetbeat ingesting a text logfile of dns? Clearly its making it all the way to graylog but graylog isn’t indexing it.
The DNS log is a text file.
Also… I was running packetbeat before this without problem, so I’m not totally up in the night here. I also confirmed I was using the OSS/Apache licensed variant.
Any chance that graylog’s 3.1.3 Beats parser just ain’t digesting Filebeats OSS 7.5.1’s data correctly? Or Filebeats isn’t handling the DNS log well?
It turns out that beats is a binary protocol.
On the Left is a good packetbeat stream that Graylog indexes fine. On the right is the filebeat stream that Graylog doesn’t handle.
It kinda looks like you are having packetbeat read the log file when you want filebeat to read it??!?
So… under sidecars->Log Collectors, you would create a Filebeat Log Collector that references the filebeat.exe location (among other things), then you would create a Collector Configuration that is based off your Filebeat Log collector, then you would apply that configuration the DNS server. Here are screen shots of mine - note how my collector configuration is based on the “winfilebeat one windows” Log Collector.
No. I set the server up to use npcap and packetbeat in one case, and the packetbeat pcap was captured on the graylog server (and indexed by graylog).
Then I removed everything and setup filebeat to read the DNS log file, the filebeat pcap was captured on the graylog server (and nothing but index errors).
So what I THINK I’m seeing is that either :
1: filebeat is not handling the Windows DNS log format well. (edit)
or
2: graylog’s beats parser is not handling packetbeat’s tcp stream well.
or
3: both.
or
4: something else entirely.
The existence of a pcap in both cases with the same first 4 bytes, i believe, suggests that at least the networking and config are good.
I modified my working config to match yours closely. I removed document_type since I have read that it has been depreciated in elasticsearch. I can’t test this on my production DNS though. I have seen before where order and even seemingly formatting make a difference in how the configuration works.
I have seen before where order and even seemingly formatting make a difference in how the configuration works.