Hi all
Please go easy on me 
- I've just literally installed ELK on a CentOS7 VM in order to trial the Netflow support for Cisco devices (to start with, then moving on to what else this collection of packages can do together).
I've configured a Cisco ASA 5505 to push V9 Netflow data to my ELK system, here are my various configuration files (if someone would not mind vetting them for me to ensure I am on the right track that would be much appreciated):
/etc/logstash/conf.d/10-logstash-netflow.conf
input {
udp {
port => 9995
codec => netflow {
versions => [9]
}
}
}
output {
stdout { codec => rubydebug }
if ( [host] =~ "123.4.5.6" ) {
elasticsearch {
index => "logstash_netflow9-%{+YYYY.MM.dd}"
host => "localhost"
cluster => "somecluster-cl01"
protocol => http
}
} else {
elasticsearch {
index => "logstash-%{+YYYY.MM.dd}"
host => "localhost"
cluster => "somecluster-cl01"
protocol => http
}
}
}
/etc/elasticsearch/elasticsearch.yml
Everything default except:
cluster.name: somecluster-cl01
node.max_local_storage_nodes: 1
gateway.expected.nodes: 1
So I can see flows being received on the correct port but the issue I've got is in the logstash log file I see this error and no data is available in Kibana:
{:timestamp=>"2016-04-28T00:36:02.610000+0100", :message=>"No matching template for flow id 263", :level=>:warn}
...thats one example, but there are a few different ids that are missing - I know that this is relating to the file: netflow.yaml and there is no definition for the above ids - but I also read a reply on a forum that if the ASA is spamming flows it can cause issues, wrigby on github mentioned in reply to someone else a while ago:
"How often are your flow exporters (routers) configured to send out template records? When Logstash starts, it will have to wait for a template record before it can parse the flowset records. If those messages are lasting more than a minute or so, then we have a real problem."
Appreciate any advice to point me in the right direction
Thanks