Netflow default dashboard wrong fields

Ivan44785372 · April 16, 2018, 6:03pm

Hello.
I have installed ELK using docker 6.2.3.
I can see that standard netflow dashboard/visualisation use netflow.dst_addr but I don't have such field. I have: netflow.ipv4_dst_addr

netflow.bytes (dashboard) -> netflow.in_bytes (me)

What is the problem ?

Ivan44785372 · April 17, 2018, 6:59am

I have found a solution.

github.com

elastic/logstash/blob/master/modules/netflow/configuration/logstash/netflow.conf.erb

input {
    udp {
        type => "netflow"
        port => <%= setting("var.input.udp.port", 2055) %>
        codec => netflow {
            versions => [5,9]
        }
        workers => <%= setting("var.input.udp.workers", 2) %>
        receive_buffer_bytes => <%= setting("var.input.udp.receive_buffer_bytes", 212992) %>
        queue_size => <%= setting("var.input.udp.queue_size", 2000) %>
    }
}

filter {
    #--------------------
    # The field names for Netflow v5 and v9 differ. We need to normalize to a
    # common data model so that we can work with the resulting events in a common manner.
    #--------------------

    # Process Netflow v5 events.

This file has been truncated. show original

I think that it should be here: https://www.elastic.co/guide/en/logstash/current/netflow-module.html

system · May 15, 2018, 6:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.