I am using latest 7.3 ELK stack with filebeat.
Configured netflow with the filebeat netflow plugin to monitor my ASA.
For network.direction i am getting "unknown"
For network.bytes i am getting just "-"
Any tips would be helpful to troubleshoot.
The issues seems to be due to running ASA version 9.6+
See the following thread:
Basically modify the
/usr/share/logstash/modules/netflow/configuration/logstash/netflow.conf.erb
Line 184 starts.. # Populate bytes transferred in the flow.
add to the bottom of it
}
else if [netflow][fwd_flow_delta_bytes] {
mutate {
id => "netflow-v9-normalize-bytes-from-fwd_flow_bytes"
rename => { "[netflow][fwd_flow_delta_bytes]" => "[netflow][bytes]" }
}
}
else if [netflow][rev_flow_delta_bytes] {
mutate {
id => "netflow-v9-normalize-bytes-from-rev_flow-bytes"
rename => { "[netflow][rev_flow_delta_bytes]" => "[netflow][bytes]" }
}
}
This will give you ability to see some packets?
As for the direction, I have no idea.
That's a partial fix on logstash for filebeat i do not know how to fix it..
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.