Netflow in Logstash does not find the logstash.yml file

elasticforme · September 25, 2019, 9:25pm

that is good sign. it is running. what is your log file says.
mine has this

[2019-09-25T16:17:52,971][INFO ][logstash.javapipeline ] Starting pipeline {:pipeline_id=>"module-netflow", "pipeline.workers"=>16, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2000, :thread=>"#<Thread:0x79801812 run>"}
[2019-09-25T16:17:53,054][INFO ][logstash.javapipeline ] Pipeline started {"pipeline.id"=>"module-netflow"}
[2019-09-25T16:17:53,103][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:2055"}
[2019-09-25T16:17:53,139][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:"module-netflow"], :non_running_pipelines=>}
[2019-09-25T16:17:53,168][INFO ][logstash.inputs.udp ] UDP listener started {:address=>"0.0.0.0:2055", :receive_buffer_bytes=>"212992", :queue_size=>"2000"}
[2019-09-25T16:17:53,400][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

I have this on logstash.yml file. I try both ip_address/name and both combination none is working

modules:
  - name: netflow
    var.elasticsearch.hosts: 10.29.111.1:9200
    var.elasticsearch.ssl.enabled: false
    var.kibana.host: elktst10:5601
    var.kibana.scheme: http
    var.kibana.ssl.enabled: false
    var.kibana.ssl.verification_mode: disable

eemtzc · September 25, 2019, 9:29pm

My log says
2019-09-25T00:07:09,781][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
[2019-09-25T00:08:11,461][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-09-25T00:08:11,486][FATAL][logstash.runner ] Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the "path.data" setting.

And I think this was caused because I stopped the logstash service then ran
bin/logstash --modules netflow --setup --path.settings /etc/logstash

before I started logstash, then all the Netflow thing got installed and setup, same way that happened to you, but on my end the logstash service did not start and I dont have a clue what to do because I have another pipeline on the same logstash server and now is not working

elasticforme · September 25, 2019, 9:39pm

you have to remove that -module thing from logstash.yml file and restart logstash and it will start up.
I just tested it and it works.

elasticforme · September 25, 2019, 9:39pm

but it still does not solve both of our problem that no data is coming in from netflow

Andrew22 · September 26, 2019, 2:21am

Im guessing that you have not yet received a template for the netflow. If you run journalctl -fu logstash you will probably see a message about not having received a template yet. Let it run for a bit and see if it starts indexing into elasticaearch

system · October 24, 2019, 2:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.