Logstash netflow and beats input

h_foxit · February 13, 2018, 11:25am

hi, I want to configure logstash to read from both beats and netflow input .. but what i get is only the beats input that works .. I did check that my router is sending logs on port 555.
any idea why
input {
udp {
port => 555
codec => netflow {
versions => [5,9]
}
type => netflow
}

beats {
port => 5044
host => "0.0.0.0"
ssl => true
ssl_certificate => "/etc/logstash/logstash.crt"
ssl_key => "/etc/logstash/logstash.key"
}

}

paz · February 13, 2018, 1:55pm

Ports below 1024 are the so-called privileged ports, meaning you need to run Logstash under a user with sudo access to have sufficient rights to listen on that port.

You can either try and invoke Logstash as a root user or change the listener (and the appropriate appliance configuration) to a port higher than 1024 and see if that resolves the issue.

h_foxit · February 13, 2018, 2:21pm

hi, I did use sudo and a root account .. but nothing happen when I try to ..
I did try the netflow input only and every things is work fine .. any other idea ..

paz · February 13, 2018, 2:29pm

Hmm, there is (probably) no reason for Netflow input to work alone and not in conjunction with a second input.

Are there any relevant errors in the Logstash logfile? How did you pinpoint that the problem is the input itself?

h_foxit · February 13, 2018, 2:40pm

well when I run both inputes I see data comming from beats but nothing from the netflow .. all I see in log file or the debug mode is logstash processing data comming from beats ..
here some

12:02:39.616 [[main]>worker5] DEBUG logstash.p ipeline - output received {"event"=>{"xlate_ty pe"=>"dynamic", "src_interface"=>"B", "src_xlated_port"=>"8074", "source"= >"some.log", "type"=>"router", "src_xlated_ip"=>"10.10.8.9", "syslog_sever ity"=>"notice", "src_ip"=>"10.8.9.9", "p rotocol"=>"TCP", "syslog_timestamp"=>"Feb 13 1 2:01:11", "@version"=>"1", "beat"=>{"hostname" =>"LINUX", "name"=>"LINUX", "ver sion"=>"5.5.2"}, "host"=>"LINUX", "acti on"=>"Built", "src_geoip"=>{}, "ip.device"=>"10.8.9.90", "syslog_severity_code"=>5, "offset"

when I did switch to netflow only

5:18:55.153 [<udp.1] DEBUG logstash.codecs.netflow - Received template 256 of size 94 bytes. Representing in 94 BinData bytes
15:18:55.180 [<udp.1] DEBUG logstash.codecs.netflow - Start processing template
15:18:55.181 [<udp.1] DEBUG logstash.codecs.netflow - Field definition complete for te mplate 257 {:field=>[:uint32, :conn_id]}

h_foxit · February 13, 2018, 4:32pm

logstash have nothing to do with this .. it was my fault.. I did analyse the traffic comming from my router the only thing i found is templates .. no input ..
thx for your help .. sorry

system · March 13, 2018, 4:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can we use Filebeat with ssl and logstash netflow module? Logstash	2	398	September 2, 2019
Receive multiple Logstash inputs with TCP, UDP and Beats Beats filebeat	7	3422	November 15, 2021
Configuring Logstash to Accept Both SSL and Non-SSL Connections Logstash	2	128	March 4, 2024
Logstash beats: 69/71 error Logstash	4	6927	December 29, 2021
Lumberjack input not working with beats input Beats	4	1012	July 5, 2017

Logstash netflow and beats input

Related topics