Filebeat netflow module crashes

S3l3ct3d · April 2, 2021, 5:32pm

I am currently receiving netflow logs on port 2055 (default) on my Logstash server. I also have filebeat running on this server, which is also currently using the panw and crowdstrike modules with no issues. So the filebeat.yml file is working as it should.

I enabled the netflow module as normal with sudo filebeat modules enable netflow. Results are success.

My neflow.yml module file is shown below

# Module: netflow
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netflow.html

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow_port: 2055
      # internal_networks specifies which networks are considered internal or private
      # you can specify either a CIDR block or any of the special named ranges listed
      # at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
      internal_networks:
        - private

When I start filebeat and grep the journalctl for netflow all I see is as follows:

Apr 02 13:28:51 SECELSPR01 filebeat[16037]: 2021-04-02T13:28:51.044-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 13:28:51 SECELSPR01 filebeat[16037]: 2021-04-02T13:28:51.045-0400        DEBUG        [cfgfile]        cfgfile/cfgfile.go:193        Load config from file: /etc/filebeat/modules.d/netflow.yml
Apr 02 13:28:51 SECELSPR01 filebeat[16037]: 2021-04-02T13:28:51.046-0400        INFO        [netflow]        netflow/input.go:187        Stopping UDP input
Apr 02 13:28:54 SECELSPR01 filebeat[16053]: 2021-04-02T13:28:54.401-0400        INFO        beater/filebeat.go:117        Enabled modules/filesets: netflow (log),  (), crowdstrike (falcon), panw (panos), logstash (log, slowlog)
Apr 02 13:28:55 SECELSPR01 filebeat[16053]: 2021-04-02T13:28:54.843-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 13:28:55 SECELSPR01 filebeat[16053]: 2021-04-02T13:28:54.843-0400        DEBUG        [cfgfile]        cfgfile/cfgfile.go:193        Load config from file: /etc/filebeat/modules.d/netflow.yml
Apr 02 13:28:55 SECELSPR01 filebeat[16053]: 2021-04-02T13:28:54.845-0400        INFO        [netflow]        netflow/input.go:187        Stopping UDP input
Apr 02 13:28:58 SECELSPR01 filebeat[16070]: 2021-04-02T13:28:58.141-0400        INFO        beater/filebeat.go:117        Enabled modules/filesets:  (), crowdstrike (falcon), panw (panos), logstash (log, slowlog), netflow (log)
Apr 02 13:28:58 SECELSPR01 filebeat[16070]: 2021-04-02T13:28:58.548-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 13:28:58 SECELSPR01 filebeat[16070]: 2021-04-02T13:28:58.548-0400        DEBUG        [cfgfile]        cfgfile/cfgfile.go:193        Load config from file: /etc/filebeat/modules.d/netflow.yml
Apr 02 13:28:58 SECELSPR01 filebeat[16070]: 2021-04-02T13:28:58.549-0400        INFO        [netflow]        netflow/input.go:187        Stopping UDP input
Apr 02 13:29:01 SECELSPR01 filebeat[16087]: 2021-04-02T13:29:01.897-0400        INFO        beater/filebeat.go:117        Enabled modules/filesets: crowdstrike (falcon), panw (panos), logstash (log, slowlog), netflow (log),  ()
Apr 02 13:29:02 SECELSPR01 filebeat[16087]: 2021-04-02T13:29:02.252-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 13:29:02 SECELSPR01 filebeat[16087]: 2021-04-02T13:29:02.263-0400        DEBUG        [cfgfile]        cfgfile/cfgfile.go:193        Load config from file: /etc/filebeat/modules.d/netflow.yml
Apr 02 13:29:02 SECELSPR01 filebeat[16087]: 2021-04-02T13:29:02.264-0400        INFO        [netflow]        netflow/input.go:187        Stopping UDP input
Apr 02 13:29:05 SECELSPR01 filebeat[16104]: 2021-04-02T13:29:05.636-0400        INFO        beater/filebeat.go:117        Enabled modules/filesets: crowdstrike (falcon), panw (panos), logstash (log, slowlog), netflow (log),  ()
Apr 02 13:29:06 SECELSPR01 filebeat[16104]: 2021-04-02T13:29:05.997-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 13:29:06 SECELSPR01 filebeat[16104]: 2021-04-02T13:29:06.002-0400        DEBUG        [cfgfile]        cfgfile/cfgfile.go:193        Load config from file: /etc/filebeat/modules.d/netflow.yml
Apr 02 13:29:06 SECELSPR01 filebeat[16104]: 2021-04-02T13:29:06.004-0400        INFO        [netflow]        netflow/input.go:187        Stopping UDP input

Any assistance would be greatly appreciated.

Thanks,

S3l3ct3d · April 3, 2021, 2:03am

Not sure what happened really, but now I am only seeing the following errors:

Apr 02 21:59:47 SECELSPR01 filebeat[145065]: "netflow": {
Apr 02 21:59:50 SECELSPR01 filebeat[145065]: 2021-04-02T21:59:50.172-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 21:59:50 SECELSPR01 filebeat[145065]: 2021-04-02T21:59:50.172-0400        ERROR        [netflow]        netflow/input.go:162        Error running harvester: listen udp 0.0.0.0:2055: bind: address already in use
Apr 02 21:59:56 SECELSPR01 filebeat[145065]: "netflow": {
Apr 02 22:00:00 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:00.173-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 22:00:00 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:00.173-0400        ERROR        [netflow]        netflow/input.go:162        Error running harvester: listen udp 0.0.0.0:2055: bind: address already in use
Apr 02 22:00:10 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:10.174-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 22:00:10 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:10.174-0400        ERROR        [netflow]        netflow/input.go:162        Error running harvester: listen udp 0.0.0.0:2055: bind: address already in use
Apr 02 22:00:17 SECELSPR01 filebeat[145065]: "netflow": {
Apr 02 22:00:20 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:20.174-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 22:00:20 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:20.175-0400        ERROR        [netflow]        netflow/input.go:162        Error running harvester: listen udp 0.0.0.0:2055: bind: address already in use
Apr 02 22:00:30 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:30.175-0400        INFO        [netflow]        netflow/input.go:151        Starting UDP input
Apr 02 22:00:30 SECELSPR01 filebeat[145065]: 2021-04-02T22:00:30.175-0400        ERROR        [netflow]        netflow/input.go:162        Error running harvester: listen udp 0.0.0.0:2055: bind: address already in use

Which is very strange as I run netstat -tulpin and the only item listening on that port is filebeat itself.

Also as you can see filebeat is processing my FW logs on port 9004 so I am not sure what is happening now.

Thanks,

S3l3ct3d · April 3, 2021, 1:09pm

Another update to this long saga.

I finally disabled the filebeat module netflow. and used the input type netflow in the filebeat.yml file.

Now netflow logs are flowing with no issue.

Something is wrong with the netflow module though.

system · May 1, 2021, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.