/
How to Enable Filebeat Stream to a Logstash Pipeline

How to Enable Filebeat Stream to a Logstash Pipeline

Mar 25, 2026

The Barracuda CloudGen Firewall allows you to stream event logs from Firewall Insights to a Logstash server, which provides information on firewall activity, threat logs, and information related to network, version, and location of managed firewall units. To receive Filebeat data streams through the Logstash pipeline, enable debugging and syslog streaming, and configure the firewall to send data to a Logstash server. Streaming logs from Firewall Insights through the Logstash pipeline requires a Firewall Insights license.

Enable Stream to Logstash Pipeline

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.

  2. In the Configuration menu on the left, select Firewall Insights

  3. Expand the Configuration Mode menu and select Switch to Advanced

  4. Click Lock.

  5. Enable the service and select Use Generic Logstash.

  6. Enter the IP address or host name that points to your Logstash pipeline.

  7. Click Send Changes and Activate.

Default Logstash Configuration File 

To receive and forward all events through your Logstash pipeline, use the following configuration. Make sure to use the PKSCS8 certificate key.

File beat Conifg: /log/logstash-cgf.conf <code> input { beats { port => 5044 ssl => true ssl_certificate => "/etc/ssl/cert.pem" ssl_key => "/etc/ssl/key.pkcs8" } } filter { json { source => "message" target => "message" } } output { stdout { codec => rubydebug } } </code>

Firewall Activity Messages

(for Firewall Insights, type = ngfw-act)

JSON Fields

Field Name

Description

Datatype

Optional

Null Value

Field Name

Description

Datatype

Optional

Null Value

timestamp

Time stamp in seconds since epoch

int

no

-

version

Message format version. Currently 1.

int

no

-

action

Firewall Action:

  • "App": application has been detected (see apps field)

  • "AppBlock": application has been blocked (see apps field)

  • "Inter": intermediate report, which is sent every 60s

  • "End": session has been terminated

string

no

-

duration

Duration of the session in milliseconds

int

no

-

src_iface

source interface name (e.g. "eth0")

string

yes

key is not in JSON

src_ip

source IP

string

no

-

src_ip_nat

source IP after NAT

string

yes

“0.0.0.0”

src_port

source port or session identifier for protocols without ports (e.g., ICMP)

int

yes

key is not in JSON

src_port_nat

source port after NAT (Added in firmware 10.5.0)

int

yes

key is not in json

src_mac

source mac address

string

yes

"00:00:00:00:00:00"

dst_iface

destination interface name

string

yes

key is not in JSON

dst_ip

destination IP

string

no

-

dst_ip_nat

destination IP after NAT

string

yes

“0.0.0.0”

dst_port

destination port or session identifier for protocols without ports (e.g. ICMP)

int

yes

key is not in JSON

dst_port_nat

destination port after NAT (Added in firmware 10.5.0)

string

yes

key is not in JSON

 

dst_mac

destination mac address

string

yes

"00:00:00:00:00:00"

fwd_bytes

number of bytes sent in the sessions's forward direction

int

yes

key is not in JSON

 

rev_bytes

number of bytes sent in the sessions's reverse direction

int

yes

key is not in JSON

 

fwd_packets

number of packets sent in the sessions's forward direction

int

yes

key is not in JSON

 

rev_packets

number of packets sent in the sessions's reverse direction

int

yes

key is not in JSON

 

user

username

string

yes

key is not in JSON

 

tunnel

tunnel name

string

yes

key is not in JSON

 

ip_proto

numeric ip protocol id (see https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)

int

no

 

protos

detected application protocols, from most specific to least specific (e.g. ["HTTPS direct", "HTTPS", "All HTTP protocols"]

array of strings

yes

key is not in JSON

 

contents

detected content types, from most specific to least specific (e.g. [ "HTML", "Web Files"]

array of strings

yes

key is not in JSON

 

apps

array of detected applications, from most specific to least specific (e.g. ["Google Services Base","Google Services"]

array of strings

yes

key is not in JSON

 

policy_sdwan

SD-WAN Policy (Added in firmware 10.5.0)

strings

yes

key is not in JSON

 

policy_rac

Zero Trust Access Policy (Added in firmware 10.5.0)

string

yes

key is not in JSON

 

policy_icmp

ICMP Policy (Added in firmware 10.5.0)

string

yes

key is not in JSON

 

policy_tls

TLS Inspection Policy (Added in firmware 10.5.0)

string

yes

key is not in json

policy_av

Malware Protection Policy (Added in firmware 10.5.0)

string

yes

key is not in json

 

policy_ips

IPS Policy (Added in firmware 10.5.0)

string

yes

key is not in json

 

policy_app

Applications Policy (Added in firmware 10.5.0)

string

yes

key is not in json

 

policy_urlcat

URL Filtering Policy (Added in firmware 10.5.0)

string

yes

key is not in json

 

policy_agent

User Agent Policy (Added in firmware 10.5.0)

string

yes

key is not in json

 

policy_content

File Content Policy (Added in firmware 10.5.0)

string

yes

key is not in json

 

domain

 

The "Referer" request header field if set or the host part of the request URI otherwise (Added in firmware 10.5.0)

 

string

 

yes

 

key is not in JSON

 

fw_rule

firewall rule name

string

yes

key is not in JSON

app_rule

application rule name (e.g. "<App>:ALL-APPS")

string

yes

key is not in JSON

 

fw_info

Detailed information about the action performed by the firewall (There are 7 categories.):

1. Generic/Normal Operation (0 - 999)

2.  ACPF_REASON_NORMAL_OP 0
3.  ACPF_REASON_NEW_REQUEST 1
4.  ACPF_REASON_MAC_CHANGED 2
5.  ACPF_REASON_ARP_DUPLICATE 3
6.  ACPF_REASON_SYNC 4
7.  ACPF_REASON_REEVALUATE 5
8.  ACPF_REASON_APP_ALLOW 6
9.  ACPF_REASON_CONTENT_ALLOW 7
10. ACPF_REASON_CONTENT_WARN 8

10.  Failed (1000 - 1999)

11.ACPF_REASON_FAIL_ICMP_BASE 1000
12.ACPF_REASON_FAIL_UNREACHABLE_NET 1000
13.ACPF_REASON_FAIL_UNREACHABLE_HOST 1001
14.ACPF_REASON_FAIL_UNREACHABLE_PROTO 1002
15.ACPF_REASON_FAIL_UNREACHABLE_PORT 1003
16.ACPF_REASON_FAIL_UNREACHABLE_FRAG 1004
17.ACPF_REASON_FAIL_UNREACHABLE_SR 1005
18.ACPF_REASON_FAIL_UNREACHABLE_NO_NET 1006
19.ACPF_REASON_FAIL_UNREACHABLE_NO_HOST 1007
20.ACPF_REASON_FAIL_UNREACHABLE_ISOLATED 1008
21.ACPF_REASON_FAIL_UNREACHABLE_NET_DENY 1009
22.ACPF_REASON_FAIL_UNREACHABLE_HOST_DENY 1010
23.ACPF_REASON_FAIL_UNREACHABLE_TOS_NET 1011
24.ACPF_REASON_FAIL_UNREACHABLE_TOS_HOST 1012
25.ACPF_REASON_FAIL_UNREACHABLE_FILTER 1013
26.ACPF_REASON_FAIL_UNREACHABLE_PRECEDENCE1 1014
27.ACPF_REASON_FAIL_UNREACHABLE_PRECEDENCE2 1015
28.ACPF_REASON_FAIL_TIMEOUT_CONNECT 1016
29.ACPF_REASON_FAIL_TIMEOUT_ACCEPT 1017
30.ACPF_REASON_FAIL_NO_ROUTE 1018
31.ACPF_REASON_FAIL_UNKNOWN 1019
32.ACPF_REASON_FAIL_ROUTE_TRIANGLE 1020
33.ACPF_REASON_FAIL_TTL_EXPIRED 1021
34.ACPF_REASON_FAIL_FRAGTIME 1022
35.ACPF6_REASON_FAIL_ICMPV6_BASE 1023
36.ACPF6_REASON_FAIL_NO_ROUTE_TO_DEST 1023
37.ACPF6_REASON_FAIL_COMM_PROHIBITED 1024
38.ACPF6_REASON_FAIL_UNKNOWN_2 1025
39.ACPF6_REASON_FAIL_ADDRESS_UNREACHABLE 1026
40.ACPF6_REASON_FAIL_PORT_UNREACHABLE 1027
41.ACPF_REASON_FAIL_WANOPT_MISMATCH 1028
42.ACPF_REASON_FAIL_WANOPT_OUT_OF_DESC 1029
43.ACPF_REASON_FAIL_WANOPT_PARTNER_WPROTO_MISSING 1030
44.ACPF_REASON_FAIL_WANOPT_NO_VPN 1031
45.ACPF_REASON_FAIL_SSL_ERROR 1032
46.ACPF_REASON_FAIL_SSL_SELF 1033
47.ACPF_REASON_FAIL_SSL_ISSUER 1034
48.ACPF_REASON_FAIL_SSL_REVOKED 1035
49.ACPF_REASON_FAIL_SSL_EXPIRED 1036
50.ACPF_REASON_FAIL_SSL_INVALID 1037
51.ACPF_REASON_FAIL_SSL_REV_FAILED 1038
52.ACPF_REASON_FAIL_FLEX_TIMEOUT 1039
53.ACPF_REASON_FAIL_FLEX_ERROR 1040
ACPF_REASON_FAIL_MEM_FAIL_CLOSE 1041

54.  Terminated (2000 - 2999)

55.ACPF_REASON_TERM_TIMEOUT_SESSION 2000
56.ACPF_REASON_TERM_TIMEOUT_BALANCED 2001
57.ACPF_REASON_TERM_TIMEOUT_LASTACK 2002
58.ACPF_REASON_TERM_TIMEOUT_RETRANS 2003
59.ACPF_REASON_TERM_TIMEOUT_HALFSIDE 2004
60.ACPF_REASON_TERM_TIMEOUT_UNREACHABLE 2005
61.ACPF_REASON_TERM_CONN_CLOSE 2006
62.ACPF_REASON_TERM_CONN_RESET_SRC 2007
63.ACPF_REASON_TERM_CONN_RESET_DST 2008
64.ACPF_REASON_TERM_ADMIN_TERMINATE 2009
65.ACPF_REASON_TERM_TIME_MISMATCH 2010
66.ACPF_REASON_TERM_RULE_BLOCK 2011
67.ACPF_REASON_TERM_DYN_RULE_EXPIRED 2012
68.ACPF_REASON_TERM_CONTENT 2013
69.ACPF_REASON_TERM_IS_LOCAL 2014
70.ACPF_REASON_TERM_PASSIVE_SYNC 2015
71.ACPF_REASON_TERM_DEVICE_DOWN 2016
72.ACPF_REASON_TERM_DYN_SERVICE 2017
73.ACPF_REASON_TERM_DURATION 2018
74.ACPF_REASON_TERM_P2P 2019
75.ACPF_REASON_TERM_PROTO_DETECT 2020
76.ACPF_REASON_TERM_IPS_DETECT 2021
77.ACPF_REASON_TERM_WANOPT_FAIL 2022
78.ACPF_REASON_TERM_PROTO_DETECT_UNKNOWN 2023
79.ACPF_REASON_TERM_DYNAMIC_MESH 2024
80.ACPF_REASON_TERM_SSL_ERROR 2025
81.ACPF_REASON_TERM_SSL_SELF 2026
82.ACPF_REASON_TERM_SSL_ISSUER 2027
83.ACPF_REASON_TERM_SSL_REVOKED 2028
84.ACPF_REASON_TERM_SSL_NOVALIDATE 2029
85.ACPF_REASON_TERM_NO_LOCAL_SOCK 2030
86.ACPF_REASON_TERM_MEM_FAIL_CLOSE 2031
87. 

88.  Packet Dropped (3000 - 3999)

89.ACPF_REASON_DROP_MISMATCH_MAC 3000
90.ACPF_REASON_DROP_MISMATCH_IF 3001
91.ACPF_REASON_DROP_SOURCE_MC 3002
92.ACPF_REASON_DROP_SOURCE_BC 3003
93.ACPF_REASON_DROP_SOURCE_BADCLASS 3004
94.ACPF_REASON_DROP_SOURCE_LOOPBACK 3005
95.ACPF_REASON_DROP_SOURCE_LOCAL 3006
96.ACPF_REASON_DROP_IPHDR_INCOMPLETE 3007
97.ACPF_REASON_DROP_IPHDR_VERSION 3008
98.ACPF_REASON_DROP_IPHDR_CHECKSUM 3009
99.ACPF_REASON_DROP_IPHDR_INVOPT 3010
100. ACPF_REASON_DROP_SOURCE_ROUTE 3011
101. ACPF_REASON_DROP_PKT_INCOMPLETE 3012
102. ACPF_REASON_DROP_TCP_HDR_INCOMPLETE 3013
103. ACPF_REASON_DROP_TCP_HDR_CHECKSUM 3014
104. ACPF_REASON_DROP_TCP_INVALID_COOKIE 3015
105. ACPF_REASON_DROP_TCP_INVALID_SEQ 3016
106. ACPF_REASON_DROP_TCP_INVALID_ACK 3017
107. ACPF_REASON_DROP_TCP_INVALID_OPT 3018
108. ACPF_REASON_DROP_TCP_INVALID_FLAGS 3019
109. ACPF_REASON_DROP_TCP_NO_SESSION 3020
110. ACPF_REASON_DROP_UDP_HDR_INCOMPLETE 3021
111. ACPF_REASON_DROP_UDP_HDR_CHECKSUM 3022
112. ACPF_REASON_DROP_ICMP_HDR_INCOMPLETE 3023
113. ACPF_REASON_DROP_ICMP_HDR_CHECKSUM 3024
114. ACPF_REASON_DROP_ICMP_HDR_INV_TYPE 3025
115. ACPF_REASON_DROP_ICMP_NO_REQUEST 3026
116. ACPF_REASON_DROP_NO_SOCKET 3027
117. ACPF_REASON_DROP_NO_FWD 3028
118. ACPF_REASON_DROP_NO_DEVICE 3029
119. ACPF_REASON_DROP_ARP_DEVICE_MISMATCH 3030
120. ACPF_REASON_DROP_ARP_MULTIPLE 3031
121. ACPF_REASON_DROP_LIMIT_SIZE 3032
122. ACPF_REASON_DROP_LIMIT_RATE 3033
123. ACPF_REASON_DROP_TTL_EXPIRED 3034
124. ACPF_REASON_DROP_ARP_INV_OP 3035125. ACPF_REASON_DROP_ICMP_NO_SESSION 3036126. ACPF_REASON_DROP_ICMP_IGNORE 3037127. ACPF_REASON_DROP_ICMP_RULE_DROP 3038128. ACPF_REASON_DROP_HIPROTO_HDR_INCOMPLETE 3039129. ACPF_REASON_DROP_HIPROTO_HDR_INVALID 3040130. ACPF_REASON_DROP_HIPROTO_HDR_VERSION 3041131. ACPF_REASON_DROP_HIPROTO_PKT_INCOMPLETE 3042132. ACPF_REASON_DROP_HIPROTO_PKT_INVALID 3043133. ACPF_REASON_DROP_MISMATCH_MAC_SRC 3044134. ACPF_REASON_DROP_MISMATCH_MAC_DST 3045135. ACPF_REASON_DROP_BRIDGE_ACL 3046136. ACPF_REASON_DROP_ARP_BURST 3047137. ACPF_REASON_DROP_STATIC_BARP 3048138. ACPF_REASON_DROP_LOCKED_BARP 3049139. ACPF_REASON_DROP_BRIDGE_MAC_SPOOFING 3050140. ACPF_REASON_DROP_BRIDGE_NO_NEXTHOP 3051141. ACPF_REASON_DROP_DECOMPRESS_FAIL 3052142. ACPF_REASON_DROP_SESSION_LOAD_EXCEEDED 3053143. ACPF_REASON_DROP_QARP_UPDATE_FAILED 3054144. ACPF_REASON_DROP_QARP_ROUTE_LOOKUP_FAILED 3055145. ACPF_REASON_DROP_QARP_GROUP_MISMATCH 3056146. ACPF_REASON_DROP_QARP_MISMATCH 3057147. ACPF_REASON_DROP_TCP_GUESSED_RST 3058148. ACPF_REASON_DROP_TCP_INVALID_SYN 3059149. ACPF_REASON_DROP_EXCEED_MTU 3060150. ACPF_REASON_DROP_SRA_FUTURE_ACK 3061151. ACPF_REASON_DROP_IPV6_UNSUPPORTED_HDR 3062152. ACPF_REASON_DROP_NO_RULESET 3063153. ACPF_REASON_DROP_SRC_BARP_UNKNOWN 3064154. ACPF_REASON_DROP_SRCDST_BARP_SAME_DEV 3065155. ACPF_REASON_DROP_OTHERHOST 3066156. ACPF_REASON_DROP_NOT_ACTIVE 3067157. ACPF_REASON_DROP_LINEARIZATION_FAILED 3068158. ACPF_REASON_DROP_REEVALUATION_FAILED 3069159. ACPF_REASON_DROP_UNKNOWN_FRAGMENT 3070160. ACPF_REASON_DROP_BRIDGE_LOOP 3071161. ACPF_REASON_DROP_RSTP_DISCARD 3072162. ACPF_REASON_DROP_SYN_WITH_PAYLOAD 3073ACPF_REASON_DROP_INVALID_URG_PTR 3074

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.