Error Netflow Plugin on Logstash

sreejiths · August 15, 2017, 11:21pm

Can help on the error ?

Neflow Plugin in Logstash

[root@XXXX logstash]# bin/logstash-plugin list | grep netflow
logstash-codec-netflow
[root@XXXX logstash]#

Netflow Config

input {
udp {
port => "2055"
host => "X.X.X.X"
codec => netflow {
versions => [5, 9]
}
type => netflow
}

tcp {
port => "2055"
host => "X.X.X.X"
codec => netflow {
versions => [5, 9]
}
type => netflow
}
}

filter {

  netflow {}

}

output {
elasticsearch {
hosts => ["X.X.X.X"]
index => "logstashnetflow-%{+YYYY.MM.dd}"
}
}

Error When running Logstash

[2017-08-16T07:18:52,944][ERROR][logstash.plugins.registry] Problems loading a plugin with {:type=>"filter", :name=>"netflow", :path=>"logstash/filters/netflow", :error_message=>"NameError", :error_class=>NameError, :error_backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:221:in namespace_lookup'", "/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:157:inlegacy_lookup'", "/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:133:in lookup'", "/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:175:inlookup_pipeline_plugin'", "/usr/share/logstash/logstash-core/lib/logstash/plugin.rb:129:in lookup'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:95:inplugin'", "(eval):16:in initialize'", "org/jruby/RubyKernel.java:1079:ineval'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:65:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:144:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:275:in create_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:95:inregister_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:264:in execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:inrun'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:183:in run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:inrun'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}
[2017-08-16T07:18:52,956][ERROR][logstash.agent ] Cannot load an invalid configuration {:reason=>"Couldn't find any filter plugin named 'netflow'. Are you sure this is correct? Trying to load the netflow filter plugin resulted in this error: Problems loading the requested plugin named netflow of type filter. Error: NameError NameError"

tatdat · August 16, 2017, 1:19am

What is your LS version?

filter {
  netflow {}
}

Please check this document. dont have any plugin called netflow
https://www.elastic.co/guide/en/logstash/current/filter-plugins.html

And for getting netflow, dont need to do anything in filter. Just nees input and output. It look like

input {
  #UDP receive flow from netflow
  udp {
    host => "10.1.12.22"
    port => 5009
    codec => netflow {
      versions => [5, 9]
    }
    type => netflow
  }
  udp {
    host => "10.1.12.22"
    port => 5010
    codec => netflow {
      versions => [10]
      target => ipfix
   }
   type => ipfix
  }

  tcp {
    host => "10.1.12.22"
    port => 4739
    codec => netflow {
      versions => [10]
      target => ipfix
    }
    type => ipfix
  }

  #syslog UPD 514 - swicth, router
  syslog {
    host => "10.1.12.22"
    add_field => {
      "type" => "network"
      "beatname"=>"fb-network"
      "beattype"=>"network"
    }
  }
}

output {
    elasticsearch {
         hosts => [“X.X.X.X”]
        index => “logstashnetflow-%{+YYYY.MM.dd}”
    }
}

sreejiths · August 16, 2017, 2:35am

LS Version 5.2

I referred to https://www.elastic.co/guide/en/logstash/5.2/plugins-codecs-netflow.html ..

Also removed the filter section ..It works..Thanks for suggestion ...

sreejiths · August 17, 2017, 2:12am

Hi ..Neflow instance "2055" is up ..But for some reson netflow traffic is not getting into Logstash . I am getting below error ..Any advice please for the fix

Error

[2017-08-17T10:06:23,980][WARN ][logstash.codecs.netflow ] No matching template for flow id 258
[2017-08-17T10:06:23,987][WARN ][logstash.codecs.netflow ] No matching template for flow id 258
[2017-08-17T10:06:23,989][WARN ][logstash.codecs.netflow ] No matching template for flow id 258
[2017-08-17T10:06:23,990][WARN ][logstash.codecs.netflow ] No matching template for flow id 258
[2017-08-17T10:06:23,992][WARN ][logstash.codecs.netflow ] No matching template for flow id 258

Logstash Config

INPUT - Logstash listens on port 2055 for Netflow logs.

input {
udp {
port => "2055"
host => "X.X.X.X"
codec => netflow {
versions => [5, 9]
}
type => netflow
}

tcp {
port => "2055"
host => "X.X.X.X"
codec => netflow {
versions => [5, 9]
}
type => netflow
}
}

output {
elasticsearch {
hosts => ["X.X.X.X"]
index => "logstash-netflow-%{+YYYY.MM.dd}"
}
}

sreejiths · August 18, 2017, 9:06am

Any advice on the error please

system · September 15, 2017, 9:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.