Logstash/ElasticSearch/Kibana 7.3 not working for Netflow

Elena_Kaidrikov · August 12, 2019, 10:40am

Hi,
I installed Logstash, ElasticSearch, Kibana, and ElasticFlow

my logstash config :

output {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][netflow]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

input {
udp {
host => "192.168.100.1"
port => 2055
codec => netflow
}
}

the first question is Why logstash is listening on 0.0.0.0:2055 :
udp 0 0.0.0.0:2055 0.0.0.0:* 13798/java

from /var/log/logstash/logstash-plain.log :

UDP listener started {:address=>"0.0.0.0:2055", :receive_buffer_bytes=>"212992", :queue_size=>"2000"}

And my main issue is I don't see the netflow traffic in Kibana Dashboard
I've verified that the netflow packages are riched the host. I checked it using tcpdump and simple udp socket app.

Where does Logstash/ElasticSearch collect received data?
Will I need to change/add/fix something?

Thank you for your help

Badger · August 12, 2019, 12:46pm

The UDP listener logs whatever the host option is set to, so I do not think you are running with the configuration you think you are.

Elena_Kaidrikov · August 13, 2019, 1:05pm

I succeeded to configure and I see that logstash receives my netflow packages,
but it drops them.
I see the following prints in the logstash log :

[2019-08-13T12:32:47,900][WARN ][logstash.codecs.netflow ] Received template 256 of size 63 bytes doesn't match BinData representation we built (65 bytes)

[2019-08-13T12:32:47,907][WARN ][logstash.codecs.netflow ] Template length exceeds flowset length, skipping {:template_id=>256, :template_length=>65, :record_length=>63}

system · September 10, 2019, 1:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.