Jun 10 02:26:14 ah-noc-logstash01 logstash: at (RawUdpPacketSender.java:52) Jun 10 02:26:14 ah-noc-logstash01 logstash: at (RawUdpPacketSender.java:156) Jun 10 02:26:14 ah-noc-logstash01 logstash: at .Ethernet.calculateChecksum(Unknown Source) Jun 10 02:26:14 ah-noc-logstash01 logstash: at .Checksum.crc32IEEE802(Native Method) I’ve even tried using netcat instead of the Filebeat modules to see if it is a Filebeat issue, but netcat doesn’t see the incoming packet either (but it still shows up in tcpdump). If I run tcpdump on the interfaces, I can see the packet arriving. I’ve tried defining the destination as locahost, machine name, 127.0.01 and the IP address of the machine, and the interface as both lo and the name of the NIC, but no matter what combination I try, the Filebeat module never sees the incoming packet. I’ve tried using the spoof plugin, but the Filebeat modules never see the incoming event. I receive the events in logstash, then I want to loop them back to a port on the same machine to a Filebeat module that already has the parsing written for the type of event (Cisco and Palo Alto). I’m also trying to loopback events to a different port on the same host, but thats not working. I’m using this plugin to resend syslogs to a SIEM, works perfectly, thank you. On the target system you are capturing traffic from you should see the source of the packet is coming from 3.3.3.3! Congratulations on spoofing your first message. Note: Be patient, Logstash is very slow to start up On the server hosting the logstash from the /usr/share/logstash path, start the pipeline.On the DESTINATION device, you can run tcpdump to collect and observe the traffic.Note: Remember to replace the values marked to be replaced input Copy the following pipeline into the file.
bin/logstash-plugin install -no-verify /logstash-output-spoof-0.1.0.gem Testing the plugin Alternatively you can download the gem directly from here.
You can download the source code and build the code yourself. This can be done by editing /etc/systemd/system/rvice if you are using systemctl. Note: If you are running logstash as a service, the default permissions for the logstash user are not sufficient, run the service as root (If anyone knows the exact permissions to harden please DM me). Note: Using Centos, the package is only available via the RHEL optional channel.
For instructions on how to run it on other operating systems, there are notes in the Release Notes of the library.Īfter deploying a new Ubuntu Server with the default Logstash installation, complete the following steps:Ĭp jnetpcap-1.4.r1425/libjnetpcap.so /lib/ It is possible to run the library on different operating systems, I have tested on Ubuntu 18.04. The plugin uses the jnetpcap library and therefore requires a number of pre-requisites on the host to be completed: