I have installed an Elastic Fleet server (self managed) and have deployed Elastic Agents successfully via Fleet. I have the Netflow Integration as part of the agent policy, but it doesn't look to be creating the data stream or the log set. The agents are reporting healthy, and I am getting other log data (I'm running endpoint security as well).
I checked the firewall config, and UDP port 2055 is open. The user I'm using in the config has superuser privileges. Any help would be appreciated in getting the netflow data into Elastic.
outputs: default: type: elasticsearch hosts: - 'https://xxx.xxx.xxx.103:9200' username: <user> password: <pw>
And here's the netflow portion of the policy:
name: linux-netflow revision: 5 type: netflow use_output: default meta: package: name: netflow version: 1.2.0 data_stream: namespace: linux_workstations streams: - id: netflow-netflow.log-bb3b17e7-f004-48ca-af4d-5097d3162a5c data_stream: dataset: netflow.log type: logs expiration_timeout: 30m queue_size: 8192 host: '0.0.0.0:2055' max_message_size: 10KiB protocols: - v1 - v5 - v6 - v7 - v8 - v9 - ipfix detect_sequence_reset: true tags: - netflow - forwarded