Hello all,
I have installed an Elastic Fleet server (self managed) and have deployed Elastic Agents successfully via Fleet. I have the Netflow Integration as part of the agent policy, but it doesn't look to be creating the data stream or the log set. The agents are reporting healthy, and I am getting other log data (I'm running endpoint security as well).
I checked the firewall config, and UDP port 2055 is open. The user I'm using in the config has superuser privileges. Any help would be appreciated in getting the netflow data into Elastic.
Outputs
outputs:
default:
type: elasticsearch
hosts:
- 'https://xxx.xxx.xxx.103:9200'
username: <user>
password: <pw>
And here's the netflow portion of the policy:
name: linux-netflow
revision: 5
type: netflow
use_output: default
meta:
package:
name: netflow
version: 1.2.0
data_stream:
namespace: linux_workstations
streams:
- id: netflow-netflow.log-bb3b17e7-f004-48ca-af4d-5097d3162a5c
data_stream:
dataset: netflow.log
type: logs
expiration_timeout: 30m
queue_size: 8192
host: '0.0.0.0:2055'
max_message_size: 10KiB
protocols:
- v1
- v5
- v6
- v7
- v8
- v9
- ipfix
detect_sequence_reset: true
tags:
- netflow
- forwarded