Cisco ASA Netflow

dmitriy.y · August 6, 2019, 9:38pm

I am using latest 7.3 ELK stack with filebeat.
Configured netflow with the filebeat netflow plugin to monitor my ASA.
For network.direction i am getting "unknown"
For network.bytes i am getting just "-"

Any tips would be helpful to troubleshoot.

Lantsel · August 7, 2019, 4:42pm

The issues seems to be due to running ASA version 9.6+
See the following thread:

Basically modify the
/usr/share/logstash/modules/netflow/configuration/logstash/netflow.conf.erb
Line 184 starts.. # Populate bytes transferred in the flow.
add to the bottom of it
}
else if [netflow][fwd_flow_delta_bytes] {
mutate {
id => "netflow-v9-normalize-bytes-from-fwd_flow_bytes"
rename => { "[netflow][fwd_flow_delta_bytes]" => "[netflow][bytes]" }
}
}
else if [netflow][rev_flow_delta_bytes] {
mutate {
id => "netflow-v9-normalize-bytes-from-rev_flow-bytes"
rename => { "[netflow][rev_flow_delta_bytes]" => "[netflow][bytes]" }
}
}

This will give you ability to see some packets?
As for the direction, I have no idea.

That's a partial fix on logstash for filebeat i do not know how to fix it..

system · September 4, 2019, 4:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Netflow missing field Logstash	4	966	January 12, 2018
No data from filebeat cisco module Beats filebeat	9	2329	August 5, 2020
Filebeat Netflow not getting to Kibana Beats filebeat	4	393	July 13, 2020
Logstash 6.2.4 netflow module no packets no bytes Logstash	3	810	May 28, 2018
Filebeat cisco module not parsing ASA logs Beats filebeat	1	378	November 6, 2019

Cisco ASA Netflow

Related topics