Hi,
I have installed Logstash 6.4.1 and I have enabled the netflow module but I'm getting "Ignoring Netflow version v10". As far as I understand, netflow 10 is supported in this version. Am I correct?
Here is the error
[2018-09-21T17:04:25,549][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.4.1"}
2018-09-21T17:18:38,966][INFO ][logstash.inputs.udp ] UDP listener started {:address=>"0.0.0.0:4001", :receive_buffer_bytes=>"212992", :queue_size=>"2000"}
[2018-09-21T17:18:39,254][WARN ][logstash.codecs.netflow ] Ignoring Netflow version v10
[2018-09-21T17:18:39,253][WARN ][logstash.codecs.netflow ] Ignoring Netflow version v10
The Logstash Netflow Module only support Netflow v5/v9, not IPFIX (aka v10). You may want to try out Elastiflow...
The Logstash Netflow Module was based on ElastiFlow v1.0.0. It is now very dated, and the functionality is very far behind the current release of ElastiFlow... v3.3.0.
For sFlow you need to install logstash-codec-sflow. That is the only optional plugin that is required. For IPFIX it uses the standard logstash-codec-netflow.
The standard codec can decode Netflow v5, v9 and IPFIX (v10). Decoding, is really just the first step. What you do with that decoded data is what makes the difference. There is a big difference between Netflow and IPFIX field names, and the Logstash Netflow Module processes and provides visualizations ONLY for Netflow fields, NOT IPFIX fields.
As ElastiFlow evolved it was enhanced to normalize the various flow types into a common schema, so that ALL of your network flow data can be visualized and analyzed with a common set of dashboards.
It has since become the most popular solution to collect network flow data with the Elastic Stack, and is used by well over 1000 organizations world-wide.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.