Hi everyone!
I'm very new to ELK... So, I've got the following:
Elasticsearch v6.0.0 + X-Pack
Logstash v6.0.0 + X-Pack
Kibana v6.0.0 + X-Pack
I want to collect netflow data. The issue is:
I've executed /usr/share/logastash/bin/logstash --modules netflow --setup
and got installed template, dashboards and etc. in Kibana. OK.
Then I've start to send netflow data from my ASA, after 10 minutes messages about missing "template to decode" gone and I've got data in Kibana. BUT!
There are two fields in template - netflow.bytes and netflow.packets - and there are no such data in Discover app in Kibana. What should I do with this? Almost all graphs and charts referrs to this fields. Am I missing something?
It seems the issue is in updated Netflow format: Cisco ASA 9.6(1) doesn't send IN_PACKETS and IN_BYTES fields - ASA Netflow spec. For bytes count it sends the following fields:
NF_F_FWD_FLOW_DELTA_BYTES - The delta number of bytes from source to destination.
NF_F_REV_FLOW_DELTA_BYTES - The delta number of bytes from destination to source.
and no data for packets count
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
