I'm trying to get netflow set up for the SIEM tools in my Azure instance. I have data coming into ES through a logstash pipeline (summarized here):
input {
udp {
port => 2055
codec => netflow
type => netflow
}
}
output {
if [type] == "netflow" {
elasticsearch {
hosts => ["${ELASTICSEARCH_URL}"]
user => "logstash_pipeline"
password => "<password>"
index => "netflow-%{+YYYY.MM.dd}"
}
}
}
But when I go into the SIEM page, it prompts me to view setup instructions. So I pick Netflow. I tried adding the modules section as follows to logstash.yml:
modules:
- name: netflow
var.input.udp.port: 2055
var.elasticsearch.hosts: ["${ELASTICSEARCH_URL}"]
var.elasticsearch.username: elastic
var.elasticsearch.password: <password>
But logstash refused to start, saying "java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit"
So I removed that and just tried running /usr/share/logstash/bin/logstash --modules netflow --setup, but logstash then says "ERROR: You cannot use --modules since Elasticsearch is configured as the config store".
So, how do I get Kibana to recognize this data for SIEM? How do I import the visualizations?