Logstash issue with Netflow module

Elastic Stack Logstash
1

HI : :smile:

I'm having this issue with logstash with netflow module active:
If I ran it from CLI with this command :

./logstash --modules netflow
It work perfect , Kibana get the index patter netflow-* and I can see populated graphs , etc, etc...

Now if I start it with systemctl :

$systemctl start logstash.service

Them kibana can't find the index pattern .

regards
JC

2

You must first run it with the --setup flag to populate the dashboards and such. After running it with --setup once, you won't have to run it with that again, unless you need to update those dashboards/visualizations.

3

I did ran it with --setup but as soon I restart logstash.service , kibana can't find netflow-* index.
Them if I ran it from terminal ./logstash --modules netflow, everthing work perfect .
The issue is when I start it from $systemctl like this:

$systemctl start logstash.service

If I run
$systemctl status logstash :
I got that logstash is green but is not populating indexes in ES and Kibana ask me set a new index pattern. I know this caz : this is the output of :

curl -X GET 'http://localhost:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open .kibana t4M9dOX0T9WuSyeAYgNbZA 1 1 1 0 3.2kb 3.2kb

not logstash indexes..
regards and thank you for helping me
JC

4

and this is the output when I ran logstash from Terminal passing the --modules netflow.

:~$ curl -X GET 'http://localhost:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open .kibana t4M9dOX0T9WuSyeAYgNbZA 1 1 89 1 101.1kb 101.1kb
yellow open netflow-2017.10.05 r52HE47mTIGdl6wfiR2yQQ 5 1 24725 0 17.4mb 17.4mb

them you can see netflow index is populating elasticS

5

nobody? :disappointed:

6

This is a red herring. Kibana and Logstash have no direct ties to each other. If the index pattern was set once, it's there forever (or until you manually delete it). It doesn't go away.

7

The real issue is that you have to populate logstash.yml with the proper modules configuration for it to be picked up when started with systemctl. There are 2 ways to tell Logstash to use the module configuration:

  1. Using --modules on the command-line
  2. Configuring the modules section in logstash.yml

I'm guessing you didn't configure logstash.yml to do modules.

Mine looks like this:

modules:
- name: netflow
  var.elasticsearch.hosts: "esclient.REDACTED.net"
  var.elasticsearch.username: "MY_XPACK_USER"
  var.elasticsearch.password: "REDACTED"
  var.input.udp.port: 2055
  var.kibana.host: "kibana.REDACTED.net:5601"
  var.kibana.username: "MY_XPACK_USER"
  var.kibana.password: "REDACTED"

If you're not using X-Pack, then you can omit the username and password lines.

1 Like
8

Here is my logstash.yml, you may find the issue.

========================================
#
# ------------ Module Settings ---------------
# Define modules here.  Modules definitions must be defined as an array.
# The simple way to see this is to prepend each `name` with a `-`, and keep
# all associated variables under the `name` they are associated with, and
# above the next, like this:
#
modules:
  - name: netflow
    var.elasticsearch.host: "localhost"
    var.input.udp.port: 2055
    var.kibana.host: "localhost:5601"
#     var.PLUGINTYPE1.PLUGINNAME1.KEY2: VALUE
#     var.PLUGINTYPE2.PLUGINNAME1.KEY1: VALUE
#     var.PLUGINTYPE3.PLUGINNAME3.KEY1: VALUE
#
# Module variable names must be in the format of
#
# var.PLUGIN_TYPE.PLUGIN_NAME.KEY
#
# modules:
#
# ------------ Queuing Settings --------------
9

Please encapsulate pasted configurations between triple-backticks, like this:

```
YOUR CONFIG HERE
```

I took the liberty of adding those to what you pasted, as the # key makes a header in markdown. It was impossible to tell whether things were properly configured or not.

This configuration looks fine. Have you checked to see if the port is open after Logstash starts?

netstat -na | grep 2055
10

Oh I will encapsulate it.

netstat -na | grep 2055

not showing any output.

11

That implies that Logstash isn't running the way you want. It could be permissions related, as you launched it (perhaps as root?) as a different user first, and then tried to run it using systemctl. But without looking at the logs, it would be hard to say. Is logstash actually running?

systemctl status logstash

Have you looked at the logs in /var/log/logstash?

12

I will look at the logs really did not think about it.

yes I do start the services with systemctl I'm using Ubuntu Server 16.04

The service is active and green.
...
systemctl status logstash
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset:
Active: active (running) since Fri 2017-10-06 14:59:12 CDT; 12s ago
Main PID: 18113 (java)
Tasks: 18
Memory: 344.9M
CPU: 36.418s
CGroup: /system.slice/logstash.service
└─18113 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CM

Oct 06 14:59:12 ELK systemd[1]: Started logstash.
...

13

wierd!
I do have logs from yesterday but not from today!

14

Try shutting down the service and then starting (not restart). Something is not starting correctly, and a fresh start is in order. Look for the logs at that point.

15

I do not have to config any pipeline since I'm using the module right? the module will be the main pipeline in this case right?

16

I will thanks

17

That is correct.

18

not a clue, I think I been messing a lot with this
now something is wrong when I start LS via terminal :
...
./logstash --modules netflow --path.settings /etc/logstash
it start but 10 sec after
stop..
that was not happening before... ussually start .

what about .... apt-get purge logstash ... and start fresh

19

Why does it stop? This is important. Understanding the why will prevent it from happening again, even after purging and reinstalling. What is in the logs? Something should be logged after that. If there's a failure, it will log something.

20

I will post the logs