Hi All,
Iam trying to find the difference between the netflow codec and netflow module , I have tried both but i could see lot of additional fields in netflow module than in netflow codec, for example geoip.as_org.keyword which is present in module and not in codec.
How to get it in codec as well, same type of fields of netflow module.
Thanks,
Raj
The pipeline that is part of the Logstash Netflow Module uses the netflow codec in its input to decode netflow datagrams. So...
netflow codec: decodes netflow datagrams
netflow module: further processes/enriches raw flow data and provides dashboards. (BTW, if you are seeing *.keyword fields there are issues with you configuration. It would seem that the index template is not being applied)
It is worth mentioning that the Logstash Netflow Module was originally based on v1.0.0 of ElastiFlow, and is quite far behind when it comes to functionality.
ElastiFlow is currently on v2.1.0 and includes support for Netflow v5/v9, IPFIX, and sFlow, which additional enrichment and handling of many more device specific flow use-cases.
Rob
Robert Cowart (rob@koiossian.com)
www.koiossian.com
True Turnkey SOLUTIONS for the Elastic Stack
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.