Netflow input and output

btjtaylor · November 23, 2021, 5:52pm

Hi all

I need to receive netflow data and output it to multiple destinations (just testing with single destination for now)

Im running logstash 7.15.2 under windows

I made the following logstash config file but it crashes when netflow data is received:

input {
  udp {
    port  => 2055
    codec => netflow
  }
}

output {
  
udp {
    port  => 2055
    codec => netflow
    host => "10.2.0.6"
  }

file {
     path => "c:\netflow\netflow.txt"
  }
}

If I remove the UDP output (leave the file output in) it works fine, I can see netflow data output to a txt file.

Does anyone have any ideas about what is wrong with my netflow output? I cant find any exampls online

Thanks in advance

Badger · November 23, 2021, 6:22pm

The documentation says the codec is used to decode netflow packets. The code does not have an encode method, so I am not surprised that an exception occurs. I am surprised at what that exception is (A stack overflow!)

There is an open issue requesting support for use of the codec on an output.

In short, you cannot use the codec on an output.

rcowart · November 26, 2021, 9:29am

Just use samplicator to send the UDP packets to multiple destinations.

If it is useful, the ElastiFlow team makes a samplicator docker container available here.

https://hub.docker.com/r/elastiflow/samplicator

system · December 24, 2021, 9:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash support for netflow as output Logstash	2	301	May 28, 2019
Logstash input UDP netflow codec - BUG? Logstash	1	496	September 29, 2017
Logstash Netflow Codec Issues Logstash	2	463	August 13, 2020
Increasing Logstash Throughput When the Codec is the Bottleneck Logstash	12	2404	April 23, 2020
Netflow Codec : UDP receive errors Logstash	12	3273	May 11, 2018

Netflow input and output

Related Topics