Netflow codec. Wrong data

swb · June 22, 2020, 7:52am

Hello friends,
We want to replace our old system for viewing Netflow (Nfsen) information with ELK. For this, we used the netflow module for Logstash. But we see fewer packets and bytes than it actually is.
For example:
In Nfsen - it is correct information:

Dst IP Addr	Flows	Packets	Bytes
172.26.0.2	335	34200	17.5 M
172.27.227.135	283	358500	26.0 M
172.27.227.131	204	33300	5.5 M

Time window: 2020-06-22 08:59:07 - 2020-06-22 09:19:06

during the same time in ELK:

netflow.dst_addr.keyword	flow	packets	bytes
172.26.0.2	335	342	175,391
172.27.227.135	283	3,585	260,164
172.27.227.131	204	333	55,476

I do not understand why the number of packets and bytes is 100 times less.

ELK version - 7.3.2. Netflow codec v5, equipment - juniper mx80.

system · July 20, 2020, 7:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash input UDP netflow codec - BUG? Logstash	1	498	September 29, 2017
LogStash & Netflow : Wrong values? Logstash	3	682	May 7, 2018
Logstash 6.2.4 netflow module no packets no bytes Logstash	3	810	May 28, 2018
[logstash.codecs.netflow ] errors Logstash	1	380	September 27, 2018
I don't get it (plugins, data input etc) Elasticsearch	3	655	May 11, 2017

Netflow codec. Wrong data

Related topics