Hi All,
We've been trying to use our ELK stack (version 6.3.1) to gather IPFIX from VMware VDS (version 5.5 update 3, currently upgrading to 6.5 but it's going to take a while).
When we configure our DVS to export Netflow (configuring the DVS itself, relevant port groups) we get unidirectional traffic (from the external network to DVS only) and see nothing in the other direction. When we configure another DVS or other port groups, all of a sudden we get a lot of garbage - IPv6 traffic (which doesn't exist at all in our environment), traffic from 0.0.0.0, traffic whose octetDeltaCount is above the maximum of long variable... at least we get a ton of directions (what is direction 255? 47?). We see many unknown VMware fields as well.
I suspect the DVS is sending some extra fields or messing up the codec somehow which is causing it to interpret packets wrongly. Has any of you encountered a similar problem? I've tried setting the target of the codec to ipfix but it just messes it up more...
Configuration:
input {
udp {
port => "4739"
codec => netflow {
versions => [10]
# target => "ipfix"
}
receive_buffer_bytes => 16777216
workers => 16
}
}
output {
elasticsearch { hosts... index... }
}