Netflow Codec Not Matching Interface from Netflow Export

Stefano_Pirrello · December 23, 2015, 2:48pm

Hi,

I've setup ELK for Netflow analysis and overall everything seems to be working fine. The only problem I'm seeing is the Netflow codec is not matching interface information of the router. For instance, I'm not seeing any hits for the indice I setup for ports Gig0/0.50 or Gi0/1 on my Cisco ISR 2911 router. Has anyone had any success with this?

I'm using the following codec found in Github.

Here's the template I setup for logstash.

'{
"template" : "logstash_netflow9-*",
"settings": {
"index.refresh_interval": "5s"
},
"mappings" : {
"default" : {
"_all" : {"enabled" : false},
"properties" : {
"@version": { "index": "analyzed", "type": "integer" },
"@timestamp": { "index": "analyzed", "type": "date" },
"netflow": {
"dynamic": true,
"type": "object",
"properties": {
"version": { "index": "analyzed", "type": "integer" },
"flow_seq_num": { "index": "not_analyzed", "type": "long" },
"engine_type": { "index": "not_analyzed", "type": "integer" },
"engine_id": { "index": "not_analyzed", "type": "integer" },
"sampling_algorithm": { "index": "not_analyzed", "type": "integer" },
"sampling_interval": { "index": "not_analyzed", "type": "integer" },
"flow_records": { "index": "not_analyzed", "type": "integer" },
"if_name": { "index": "analyzed", "type": "string" },
"ipv4_src_addr": { "index": "analyzed", "type": "ip" },
"ipv4_dst_addr": { "index": "analyzed", "type": "ip" },
"ipv4_next_hop": { "index": "analyzed", "type": "ip" },
"input_snmp": { "index": "not_analyzed", "type": "long" },
"output_snmp": { "index": "not_analyzed", "type": "long" },
"in_pkts": { "index": "analyzed", "type": "long" },
"out_pkts": { "index": "analyzed", "type": "long" },
"in_bytes": { "index": "analyzed", "type": "long" },
"out_bytes": { "index": "analyzed", "type": "long" },
"first_switched": { "index": "not_analyzed", "type": "date" },
"last_switched": { "index": "not_analyzed", "type": "date" },
"l4_src_port": { "index": "analyzed", "type": "long" },
"l4_dst_port": { "index": "analyzed", "type": "long" },
"tcp_flags": { "index": "analyzed", "type": "integer" },
"protocol": { "index": "analyzed", "type": "integer" },
"src_tos": { "index": "analyzed", "type": "integer" },
"src_as": { "index": "analyzed", "type": "integer" },
"dst_as": { "index": "analyzed", "type": "integer" },
"src_mask": { "index": "analyzed", "type": "integer" },
"dst_mask": { "index": "analyzed", "type": "integer" }
}
}
}
}
}
}'

warkolm · December 23, 2015, 10:31pm

I don't know netflow very well, but are you using a compatible version? We only support v5 and v9.

Stefano_Pirrello · December 24, 2015, 4:14am

I'm using Netflow V9.

Topic		Replies	Views
5.2.2 and netflow codec: IP addresses appear as strings Logstash	1	448	April 13, 2017
Help with Netflow Configuration Logstash	6	2531	April 19, 2017
Netflow codec not working as expected Logstash	1	440	February 14, 2018
Logstash and cisco asa v9 netflow Logstash	17	6960	July 6, 2017
Logstash input UDP netflow codec - BUG? Logstash	1	497	September 29, 2017

Netflow Codec Not Matching Interface from Netflow Export

Related topics