Logstash 6.4.1 Ignoring Netflow 10

(Anna) #1

I have installed Logstash 6.4.1 and I have enabled the netflow module but I'm getting "Ignoring Netflow version v10". As far as I understand, netflow 10 is supported in this version. Am I correct?
Here is the error

[2018-09-21T17:04:25,549][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.4.1"}
2018-09-21T17:18:38,966][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"", :receive_buffer_bytes=>"212992", :queue_size=>"2000"}
[2018-09-21T17:18:39,254][WARN ][logstash.codecs.netflow  ] Ignoring Netflow version v10
[2018-09-21T17:18:39,253][WARN ][logstash.codecs.netflow  ] Ignoring Netflow version v10

Thank you

(Robert Cowart) #2

The Logstash Netflow Module only support Netflow v5/v9, not IPFIX (aka v10). You may want to try out Elastiflow...

The Logstash Netflow Module was based on ElastiFlow v1.0.0. It is now very dated, and the functionality is very far behind the current release of ElastiFlow... v3.3.0.

(Anna) #3

Thank you!
Does elasticflow use logstash with another plugin?

(Robert Cowart) #4

For sFlow you need to install logstash-codec-sflow. That is the only optional plugin that is required. For IPFIX it uses the standard logstash-codec-netflow.

(Anna) #5

So using elasticflow does something extra to support IPFIX, but using the standard logstash-codec-netflow.
Am I correct?

(Robert Cowart) #6

The standard codec can decode Netflow v5, v9 and IPFIX (v10). Decoding, is really just the first step. What you do with that decoded data is what makes the difference. There is a big difference between Netflow and IPFIX field names, and the Logstash Netflow Module processes and provides visualizations ONLY for Netflow fields, NOT IPFIX fields.

As ElastiFlow evolved it was enhanced to normalize the various flow types into a common schema, so that ALL of your network flow data can be visualized and analyzed with a common set of dashboards.

It has since become the most popular solution to collect network flow data with the Elastic Stack, and is used by well over 1000 organizations world-wide.

(Anna) #7

Thank you. I'll try it.

(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.