Logstash sflow

Elastic Stack Logstash
1

Hi,

I've read that it's possible to get sflow logs from switches to logstash.

Can yo explain me how to do it ?
I've followed that tutorial, but nothing appear in my logs:

Thx

2

I'v foun dthis codec, but how can i install it ?

3

Hi,

What type of switch are you using?

4

Extreme Networks Black diamond 8800 and summit X250 - 450

5

hi,

i receive datas, but not really clear :slight_smile:

\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\xAC\u0010\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0018S\xF9\xA9\xFA\u0006\u0000\u0000\u0000\v\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000E%\u0000\u0000\u0003\xF8\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\u0003\xF8\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000;\x9A\xCA\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0014YP\x82\xE9\u0010o\t-\u0000\u0006\xB7\u0013\u0000\rU\u001D\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\xA0\xDF[\xCD\xF1\u001E\x9DW\xF4\u0003/\xFF\xD1\u0005s\xB1\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000E%\u0000\u0000\u0004\v\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\u0004\v\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000;\x9A\xCA\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0003\u0000\u0000\u0000\b\e\x97\xB6\xD6\t\xF3h \u0000\f\xC9t\u0000\u0019\bq\u0000\u0000\u0000\u0000\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u001C\xA8\x9A\xC5\u0012\xF8\xEC\xF2\u00033\xE5\xA2\u0005g\x95N\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000E%\u0000\u0000\a\xD7\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\a\xD7\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\xB9\u0004>\u0000\u0001\xA2\x99c\u0000\u0001\xAF\u0011\u0000\u0014'b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\r\xBE\xB0T\u0006\u0003\b\xFD\xCE\u0000\xDA \x94\u0001x\u001Dx\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000E%\u0000\u0000\a\xEB\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\a\xEB\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000\u0005\xF5\xE1\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001\u000E9\xB8g\u0001Lb+\u0000\u0000\u0006\x9C\u0000\u0000\xAF\x90\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u001A\u0005\xC7]\u0001T\x8A\v\u0003\bh\x9C\u0005\x80s\xE1\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000E%\u0000\u0000\a\xFF\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\a\xFF\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\

6

What does your Logstash configuration look like? Have you configured it to work with sFlow?

7

i've just created a input :slight_smile:
input {

udp {
port => 9999
type => "sflow"
}
}

that gave me the log in my previous post.

i just add this filter: https://gist.github.com/whiskeyalpharomeo/92538521bb631dd2db38

then i receive no logs anymore.

8

What do you want to do with the data? Just have it on your machine locally or visualize it somewhere like on Kibana?

Take a look at https://github.com/NETWAYS/sflow

9

yes, get the data and send it to kibana.

To be able to see protocols/sources etc..

10

Alright so I assume you already have Kibana and Elasticsearch configured properly.

You're missing an output on your configuration file. Logstash is listening to port 9999 for any sflow, but doesn't know what to do with it afterwards.

Here is what my configuration looks like for Syslog
http://pastebin.com/QmrKzwm4

I have an input so Logstash knows where to start and receive data from and a output set to elasticsearch. Not sure how filters work for sFlow!

Try to add an output pointing to elasticsearch and see if it comes in, into Kibana. Change the index to whatever suits you

11

logstash is already working for syslog.

i'm bloked here on this process:https://github.com/NETWAYS/sflow
:slight_smile:

sudo bundle exec ./bin/sflow.rb
Connecting to Logstash: localhost:9300
Getting switch interface names 2016-05-17 15:16:49 +0100
no name for 10.9.8.3
/usr/lib/ruby/1.9.1/resolv.rb:128:in getname' /etc/logstash/conf.d/sflow/lib/sflow/snmp/iface_names.rb:8:inblock in initialize'
/etc/logstash/conf.d/sflow/lib/sflow/snmp/iface_names.rb:7:in each_key' /etc/logstash/conf.d/sflow/lib/sflow/snmp/iface_names.rb:7:ineach'
/etc/logstash/conf.d/sflow/lib/sflow/snmp/iface_names.rb:7:in initialize' /etc/logstash/conf.d/sflow/lib/sflow/collector.rb:54:innew'
/etc/logstash/conf.d/sflow/lib/sflow/collector.rb:54:in start_collector' /etc/logstash/conf.d/sflow/bin/sflow.rb:7:in<top (required)>'
/var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/cli/exec.rb:63:in load' /var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/cli/exec.rb:63:inkernel_load'
/var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/cli/exec.rb:24:in run' /var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/cli.rb:304:inexec'
/var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/vendor/thor/lib/thor/command.rb:27:in run' /var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:ininvoke_command'
/var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/vendor/thor/lib/thor.rb:359:in dispatch' /var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/vendor/thor/lib/thor/base.rb:440:instart'
/var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/cli.rb:11:in start' /var/lib/gems/1.9.1/gems/bundler-1.12.4/exe/bundle:27:inblock in <top (required)>'
/var/lib/gems/1.9.1/gems/bundler-1.12.4/lib/bundler/friendly_errors.rb:98:in with_friendly_errors' /var/lib/gems/1.9.1/gems/bundler-1.12.4/exe/bundle:19:in<top (required)>'
/usr/local/bin/bundle:23:in load' /usr/local/bin/bundle:23:in'
bundler: failed to load command: ./bin/sflow.rb (./bin/sflow.rb)
RuntimeError: unable to start sflow collector
/etc/logstash/conf.d/sflow/lib/sflow/collector.rb:63:in rescue in start_collector' /etc/logstash/conf.d/sflow/lib/sflow/collector.rb:42:instart_collector'
/etc/logstash/conf.d/sflow/bin/sflow.rb:7:in `<top (required)>'

12

HI karl ,

Did you fix this issue.

Even am facing the same issue.Any inputs from anyone?

bundle exec ./bin/sflow.rb
Connecting to Logstash: localhost:6543
Getting switch interface names 2016-09-23 13:58:32 +0200
no name for 1.2.3.4
/usr/lib/ruby/2.1.0/resolv.rb:128:in getname' /home/raj/sflow/lib/sflow/snmp/iface_names.rb:8:inblock in initialize'
/home/raj/sflow/lib/sflow/snmp/iface_names.rb:7:in each_key' /home/raj/sflow/lib/sflow/snmp/iface_names.rb:7:ineach'
/home/raj/sflow/lib/sflow/snmp/iface_names.rb:7:in initialize' /home/raj/sflow/lib/sflow/collector.rb:54:innew'
/home/raj/sflow/lib/sflow/collector.rb:54:in start_collector' /home/raj/sflow/bin/sflow.rb:7:in<top (required)>'
/var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/cli/exec.rb:74:in load' /var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/cli/exec.rb:74:inkernel_load'
/var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/cli/exec.rb:27:in run' /var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/cli.rb:332:inexec'
/var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/vendor/thor/lib/thor/command.rb:27:in run' /var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:ininvoke_command'
/var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/vendor/thor/lib/thor.rb:359:in dispatch' /var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/cli.rb:20:indispatch'
/var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/vendor/thor/lib/thor/base.rb:440:in start' /var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/cli.rb:11:instart'
/var/lib/gems/2.1.0/gems/bundler-1.13.1/exe/bundle:34:in block in <top (required)>' /var/lib/gems/2.1.0/gems/bundler-1.13.1/lib/bundler/friendly_errors.rb:100:inwith_friendly_errors'
/var/lib/gems/2.1.0/gems/bundler-1.13.1/exe/bundle:26:in <top (required)>' /usr/local/bin/bundle:22:inload'
/usr/local/bin/bundle:22:in <main>' bundler: failed to load command: ./bin/sflow.rb (./bin/sflow.rb) RuntimeError: unable to start sflow collector /home/raj/sflow/lib/sflow/collector.rb:63:inrescue in start_collector'
/home/raj/sflow/lib/sflow/collector.rb:42:in start_collector' /home/raj/sflow/bin/sflow.rb:7:in<top (required)>'

Thanks,
Raj

13

We were using this for a few years until we seen this native codec

https://www.elastic.co/guide/en/logstash/current/plugins-codecs-sflow.html

14

However

The native sflow codec seems to bork the udp input

https://discuss.elastic.co/t/logstash-inputs-udp-eoferror-end-of-file-reached/73212

I can't really find anyway to get sflow though logstash these days on ELK 5.2

If anyone has this working, please share

15

I just did a fresh install on ubuntu 16.04 of ELK 5.2 and have sflow data in Kibana.

After installing the .deb pkgs I installed the sflow codec by running this:

/usr/share/logstash/bin/logstash-plugin install logstash-codec-sflow

Then I configured logstash.

Here is my /etc/logstash/logstash.yaml http://pastebin.com/4uysTEsb
Here is my /etc/logstash/conf.d/logstash-sflow.conf http://pastebin.com/v4LWWZaT

restarted the services and data is flowing.