Logstash Netflow Module : Could not index event to Elasticsearch netflow.application_id

Elastic Stack Logstash
1

Hi community :slight_smile:

I have recently install the netflow module.

We have a cisco router and we try to collect netflow.

I have follow this official guide .

The installation was success. I don't have make another modification.

and if i understand good. if i install the module i don't need to build a .conf file in /etc/logstash/conf.d/

I have now some error when logstash collect the flow :

[2019-01-04T11:14:22,170][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"netflow-2019.01.04", :_type=>"doc", :routing=>nil}, #LogStash::Event:0x2500dab], :response=>{"index"=>{"_index"=>"netflow-2019.01.04", "_type"=>"doc", "_id"=>"QkFbGGgBpiO-4DmCR2bZ", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [netflow.application_id] of type [integer]", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"For input string: "13:751""}}}}}

I have search everywhere on internet but i don't find a solution.

2

You may want to try ElastiFlow (https://github.com/robcowart/elastiflow). The Logstash Netflow module is based on ElastiFlow 1.0.0 and is very dated. The current release of ElastiFlow is 3.3.0 and has considerably more functionality. It also works well with the multi-pipeline capabilities of Logstash 6.x.

3

Thanks for reply :slight_smile:

Work Fine :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.