no syslogs from pfSense; Couldn't find any Elasticsearch data

[vap0rtranz]

Describe the bug Sounds similar to issue 3ilson/pfelk#118

To Reproduce Steps to reproduce the behavior:

1. install Ubuntu 18
2. install pfElk via ansible
3. access Kibana frontend
4. setup pfSense to forward logs per Git doc
5. Kibana frontend complains "Couldn't find any Elasticsearch data"

Firewall System (please complete the following information):

• pfSense 2.4.5-RELEASE

Operating System (please complete the following information):

NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Installation method (manual, ansible-playbook, docker, script): ansible-playbook

Elasticsearch, Logstash, Kibana (please complete the following information):

• Version of ELK components (dpkg -l [elasticsearch]|[logstash]|[kibana]) I don't know; playbooks never prompted for version

  Elasticsearch, Logstash, Kibana logs:

• Elasticsearch logs (tail -f /var/log/elasticsearch/[your-elk-cluster-name].log)

  at org.elasticsearch.action.support.ChannelActionListener.onFailure(ChannelActionListener.java:56) [elasticsearch-7.7.1.jar:7.7.1]
  at org.elasticsearch.search.SearchService.lambda$runAsync$0(SearchService.java:413) [elasticsearch-7.7.1.jar:7.7.1]
  at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:44) [elasticsearch-7.7.1.jar:7.7.1]
  at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:692) [elasticsearch-7.7.1.jar:7.7.1]
  at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.7.1.jar:7.7.1]
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
  at java.lang.Thread.run(Thread.java:832) [?:?]
  [2020-06-04T23:36:51,119][INFO ][o.e.c.r.a.AllocationService] [node-1] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[.kibana_task_manager_1][0]]]).
  [2020-06-04T23:55:09,287][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [.management-beats] for index patterns [.management-beats]

• Logstash logs (tail -f /var/log/logstash/logstash-plain.log)

    # This setting must be a path
    # File does not exist or cannot be opened /etc/logstash/conf.d/template/pf-geoip-template.json
    template => "/etc/logstash/conf.d/template/pf-geoip-template.json"
    ...
  }
  }
  [2020-06-05T00:14:35,247][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.", :backtrace=>["org.logstash.config.ir.CompiledPipeline.<init>(CompiledPipeline.java:119)", "org.logstash.execution.JavaBasePipelineExt.initialize(JavaBasePipelineExt.java:80)", "org.logstash.execution.JavaBasePipelineExt$INVOKER$i$1$0$initialize.call(JavaBasePipelineExt$INVOKER$i$1$0$initialize.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:837)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1169)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuperSplatArgs(IRRuntimeHelpers.java:1156)", "org.jruby.ir.targets.InstanceSuperInvokeSite.invoke(InstanceSuperInvokeSite.java:39)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$initialize$0(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:43)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:332)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:86)", "org.jruby.RubyClass.newInstance(RubyClass.java:939)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "usr.share.logstash.logstash_minus_core.lib.logstash.pipeline_action.create.RUBY$method$execute$0(/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52)", "usr.share.logstash.logstash_minus_core.lib.logstash.pipeline_action.create.RUBY$method$execute$0$__VARARGS__(/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "usr.share.logstash.logstash_minus_core.lib.logstash.agent.RUBY$block$converge_state$2(/usr/share/logstash/logstash-core/lib/logstash/agent.rb:342)", "org.jruby.runtime.CompiledIRBlockBody.callDirect(CompiledIRBlockBody.java:138)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:52)", "org.jruby.runtime.Block.call(Block.java:139)", "org.jruby.RubyProc.call(RubyProc.java:318)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:105)", "java.lang.Thread.run(Thread.java:748)"]}
  [2020-06-05T00:14:35,278][ERROR][logstash.agent           ] An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<main>`", :backtrace=>["org/logstash/execution/ConvergeResultExt.java:129:in `create'", "org/logstash/execution/ConvergeResultExt.java:57:in `add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:355:in `block in converge_state'"]}
  [2020-06-05T00:14:35,389][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>#<LogStash::Error: Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<main>`>, :backtrace=>["org/logstash/execution/ConvergeResultExt.java:129:in `create'", "org/logstash/execution/ConvergeResultExt.java:57:in `add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:355:in `block in converge_state'"]}
  [2020-06-05T00:14:35,451][ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
  [2020-06-05T00:15:16,578][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.7.1"}

Additional context The logstash port is not up and listening: netstat --listen | grep 5140

**Attach the pfELK Error Log (error.pfelk), for Better Assistance*** "error.pfelk" doesn't exist on filesystem

sudo find / -type f -name error.pfelk
justin@pfelk1:/$

[revere521]

This is the error - logstash looks like its not starting becasue its looking for the geoip template:

      # This setting must be a path
      # File does not exist or cannot be opened /etc/logstash/conf.d/template/pf-geoip-template.json
      template => "/etc/logstash/conf.d/template/pf-geoip-template.json"

on you box navigate to /etc/logstash/conf.d/template/ and run sudo wget https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pf-geoip-template.json

I cant remember if the ansible playbook configures everything, but you may need to download and setup GeoIP https://github.com/3ilson/pfelk/blob/master/install/ubuntu.md#7-install-maxmind

then do the remainder of the config https://github.com/3ilson/pfelk/blob/master/install/ubuntu.md#configuration

[vap0rtranz]

Looks like a typo in the name of the directory.

Ansible had created:

root@pfelk1:/etc/logstash/conf.d/template# ls -lrt
total 8
-rw-r--r-- 1 root root 2035 Jun  4 23:34 pf-geoip-template.json

The manual doc says to create a "templates" directory so I manually created it:

mkdir /etc/logstash/conf.d/templates

And put the pf-geoip-template.json file in it.

Also, from the manual doc: "download and setup GeoIP"

Line #18 in /etc/GeoIP.conf was missing, though the other two lines were already done, so I added #18.

DatabaseDirectory /usr/share/GeoIP/

[vap0rtranz]

The connection to port 5140 from pfSense still fails.

I gathered the pfELK logs by running error-data.sh. Logstash had the same error.

So I manually re-downloaded the conf.d files for logstash and found Ansible had downloaded files with differences. For example:

diff 01-inputs.conf 01-inputs.conf.1 
7d6
< 
12c11
<   if [host] =~ /192\.168\.0\.1/ {
---
>   if [host] == "192.168.0.1" {
15c14
<       add_field => [ "[observer][type]", "router" ]
---
>       add_field => [ "[observer][type]", "firewall" ]
21c20
< #if [host] =~ /172\.2\.22\.1/ {
---
> #if [host] == "10.0.0.1" {
31c30
<       #match => { "message" => "<(?<[event][id]>.*)>%{SYSLOGTIMESTAMP:[event][created]} %{SYSLOGHOST:[observer][name]} %{DATA:labels}(?:\[%{POSINT:pf_pid}\])?: %{GREEDYDATA:pf_message}" }
---
>       #OPN# match => { "message" => "<(?<[event][id]>.*)>%{SYSLOGTIMESTAMP:[event][created]} %{SYSLOGHOST:[observer][name]} %{DATA:labels}(?:\[%{POSINT:pf_pid}\])?: %{GREEDYDATA:pf_message}" }
34c33
<        match => { "message" => "<(?<[event][id]>.*)>%{SYSLOGTIMESTAMP:[event][created]} %{DATA:labels}(?:\[%{POSINT:[event][id]}\])?: %{GREEDYDATA:pf_message}" }
---
>       #pf# match => { "message" => "<(?<[event][id]>.*)>%{SYSLOGTIMESTAMP:[event][created]} %{DATA:labels}(?:\[%{POSINT:[event][id]}\])?: %{GREEDYDATA:pf_message}" }

It looks like logstash has started now, but it is hard to tell. The latest pfELK error log ends the logstash section with:

[2020-06-05T22:11:47,605][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Cou
ld not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2020-06-05T22:11:48,060][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2020-06-05T22:11:52,824][INFO ][logstash.runner          ] Logstash shut down.

[vap0rtranz]

I've fixed this issue after one more change.

The final change was in 01-inputs.conf. My conf now has these lines:

if "pf" in [tags] {
    grok {
      # OPNsense - Enable/Disable the line below based on firewall platform
      #OPN# match => { "message" => "<(?<[event][id]>.*)>%{SYSLOGTIMESTAMP:[event][created]} %{SYSLOGHOST:[observer][name]} %{DATA:labels}(?:\[%{POSINT:pf_pid}\])?: %{GREEDYDATA:pf_message}" }
      ########################################################################################################################################
      # pfSense - Enable/Disable the line below based on firewall platform
      match => { "message" => "<(?<[event][id]>.*)>%{SYSLOGTIMESTAMP:[event][created]} %{DATA:labels}(?:\[%{POSINT:[event][id]}\])?: %{GREEDYDATA:pf_message}" }
    }

To verify, the listening port for syslog is now open:

sudo netstat --listen | grep 5140
udp        0      0 0.0.0.0:5140            0.0.0.0:*                     

Hopefully this helps others.

[fktkrt]

Right, sorry for the inconvenience, the wrongly named folder is resolved now, thank you for checking it! About the other thing: yes, the input file is set up for OPNSense by default. I'll update the README with a note to that. I might be good, if this could be set with custom tags/templates when using the ansible-playbook.

EDIT: It looks like the README was up-to-date actually.

[vap0rtranz]

No worries. Happy to be pointed in the right direction. ty!

[fktkrt]

Closing this, since it's resolved. Feel free to reach out if you have any further issues in one of the repositories.