Listening to multiple ports for Netflow traffic

hjazz6 · January 13, 2022, 2:17am

Hi,

My filebeat 7.14.0 is currently listening on UDP port 1234 for Netflow packets using the Netflow module. Can I configure my netflow.yml to listen to multiple UDP ports for Netflow packets?

E.g. (netflow.yml)

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow.port: [1234, 1235, 1236]
      queue_size: 8192

I know the [...] syntax is not accepted by filebeat when specifying the ports, so is there a way to listen to multiple ports in a single filebeat instance, or do I have to run an instance per port? If the latter, can all the filebeat instances output to the same Elasticsearch index?

Thank you.

legoguy1000 · January 13, 2022, 1:28pm

You can do something like

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow.port: 1234
      queue_size: 8192
- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow.port: 1235
      queue_size: 8192
...

hjazz6 · January 14, 2022, 8:41am

So in this case, I would only be running one instance of filebeat, but listening on multiple ports?

legoguy1000 · January 14, 2022, 1:35pm

Correct

system · February 11, 2022, 3:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.