Hi all,
Been working with the ELK stack and loving it. A bit of a learning curve but finally got all working with dashboards etc.
I have file beat reporting back from a FW and it is working really well to display my dashboards. I wanted to get net flow working as well.
How I tried to get it working:
-
I used the cmd line option as per the documentation and set my UDP port as specified in the manual.
What I noticed is that it started a bootstrap of LogStash with Net Flow running instead of intergrating it into the current running LogStash. All Dashboards & Vis were created and the pipeline was created in ES.
When I connected to the running LogStash process to see what was happening I didn't see any "netflow type of activity" - all other activity was as per normal. -
I then tried option 2 - specifying the module and the var's in the logstash.config. Restarted the entire ELK stack. In this case
- File Beat stopped sending or ELK was not receiving any info from the file beat agent on the FW.
- No info was being passed to the ES pipeline either.
I checked the LogStash log files and saw that it started up and the UDP port was created as specified but still no File Beats.
Then when I remove (comment out the Netflow) module restart the ELK stack.
LogStash starts up as per normal (in the logs). But I have to go to ES close the pipeline and then reopen it. After 30s - 1min the items start flowing in again.
I guess my question(s) are:
-
Can you have File Beat and Net Flow "talking" to the same LogStash instance (my lamen view is there seems to be some clash here)
-
Why would I have to close and then reopen ES pipeline for logstash after disabling a module to get the flow of info in?
Thank you for the time and looking forward to the response