Listening to multiple ports for Netflow traffic

hjazz6 · January 13, 2022, 2:17am

Hi,

My filebeat 7.14.0 is currently listening on UDP port 1234 for Netflow packets using the Netflow module. Can I configure my netflow.yml to listen to multiple UDP ports for Netflow packets?

E.g. (netflow.yml)

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow.port: [1234, 1235, 1236]
      queue_size: 8192

I know the [...] syntax is not accepted by filebeat when specifying the ports, so is there a way to listen to multiple ports in a single filebeat instance, or do I have to run an instance per port? If the latter, can all the filebeat instances output to the same Elasticsearch index?

Thank you.

legoguy1000 · January 13, 2022, 1:28pm

You can do something like

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow.port: 1234
      queue_size: 8192
- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow.port: 1235
      queue_size: 8192
...

hjazz6 · January 14, 2022, 8:41am

So in this case, I would only be running one instance of filebeat, but listening on multiple ports?

legoguy1000 · January 14, 2022, 1:35pm

Correct

system · February 11, 2022, 3:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Running multiple filebeat instances to handle netflow load Beats filebeat	3	664	November 3, 2021
Filebeat multiple sources netflow module Beats beats-module , filebeat	3	502	August 6, 2020
2 instances of Filebeat on same Linux server output to same ES Beats filebeat	4	271	May 26, 2023
Filebeat netflow module multiple host Beats	1	446	December 20, 2019
Multi port output configuration Beats filebeat	1	540	September 5, 2019

Listening to multiple ports for Netflow traffic

Related topics