hi, I want to configure logstash to read from both beats and netflow input .. but what i get is only the beats input that works .. I did check that my router is sending logs on port 555.
any idea why
input {
udp {
port => 555
codec => netflow {
versions => [5,9]
}
type => netflow
}
beats {
port => 5044
host => "0.0.0.0"
ssl => true
ssl_certificate => "/etc/logstash/logstash.crt"
ssl_key => "/etc/logstash/logstash.key"
}
}
Ports below 1024 are the so-called privileged ports, meaning you need to run Logstash under a user with sudo access to have sufficient rights to listen on that port.
You can either try and invoke Logstash as a root user or change the listener (and the appropriate appliance configuration) to a port higher than 1024 and see if that resolves the issue.
hi, I did use sudo and a root account .. but nothing happen when I try to ..
I did try the netflow input only and every things is work fine .. any other idea ..
Hmm, there is (probably) no reason for Netflow input to work alone and not in conjunction with a second input.
Are there any relevant errors in the Logstash logfile? How did you pinpoint that the problem is the input itself?
well when I run both inputes I see data comming from beats but nothing from the netflow .. all I see in log file or the debug mode is logstash processing data comming from beats ..
here some
12:02:39.616 [[main]>worker5] DEBUG logstash.p ipeline - output received {"event"=>{"xlate_ty pe"=>"dynamic", "src_interface"=>"B", "src_xlated_port"=>"8074", "source"= >"some.log", "type"=>"router", "src_xlated_ip"=>"10.10.8.9", "syslog_sever ity"=>"notice", "src_ip"=>"10.8.9.9", "p rotocol"=>"TCP", "syslog_timestamp"=>"Feb 13 1 2:01:11", "@version"=>"1", "beat"=>{"hostname" =>"LINUX", "name"=>"LINUX", "ver sion"=>"5.5.2"}, "host"=>"LINUX", "acti on"=>"Built", "src_geoip"=>{}, "ip.device"=>"10.8.9.90", "syslog_severity_code"=>5, "offset"
when I did switch to netflow only
5:18:55.153 [<udp.1] DEBUG logstash.codecs.netflow - Received template 256 of size 94 bytes. Representing in 94 BinData bytes
15:18:55.180 [<udp.1] DEBUG logstash.codecs.netflow - Start processing template
15:18:55.181 [<udp.1] DEBUG logstash.codecs.netflow - Field definition complete for te mplate 257 {:field=>[:uint32, :conn_id]}
logstash have nothing to do with this .. it was my fault.. I did analyse the traffic comming from my router the only thing i found is templates .. no input ..
thx for your help .. sorry
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.