Netflow setup giving me error

Elastic Stack Logstash
1

Trying to setup simple netflow for test.

What am I missing?

install new elasticsearch/kibana and all working fine
install metricbeat and it works fine as well

my kibana and elasticsearch is setup with hostname:9200 and hostname:5601

on my logstash I don't have anything except this but it still give me error that it can't connect to localhost. where is it coming from

I try hostname/ip for elasticsearch.hosts and kibana.host option

   cat logstash.yml |grep -v ^#
node.name: elktst10
modules:
  - name: netflow
    var.input.udp.port: 2055
    var.elasticsearch.hosts: "10.29.111.1:9200"
    var.kibana.host: "10.29.111.1:5601"

http.host: "elktst10"
log.level: info
path.logs: /elkdata01/log/logstash/

Errors I get

[INFO ] 2019-09-23 16:07:25.428 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.3.1"}
[INFO ] 2019-09-23 16:07:26.075 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] modulescommon - Setting up the netflow module
[ERROR] 2019-09-23 16:07:26.616 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] kibanaclient - Error when executing Kibana client request {:error=>#<Manticore::SocketException: Connection refused (Connection refused)>}
[ERROR] 2019-09-23 16:07:26.703 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] kibanaclient - Error when executing Kibana client request {:error=>#<Manticore::SocketException: Connection refused (Connection refused)>}
[ERROR] 2019-09-23 16:07:26.832 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] sourceloader - Could not fetch all the sources {:exception=>LogStash::ConfigLoadingError, :message=>"Failed to import module configurations to Elasticsearch and/or Kibana. Module: netflow has Elasticsearch hosts: ["localhost:9200"] and Kibana hosts: ["localhost:5601"]", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/config/modules_common.rb:108:in block in pipeline_configs'", "org/jruby/RubyArray.java:1792:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/config/modules_common.rb:54:in pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/modules.rb:14:inpipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:61:in block in fetch'", "org/jruby/RubyArray.java:2572:incollect'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:60:in fetch'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:148:inconverge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:367:inblock in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/task.rb:24:in block in initialize'"]} [ERROR] 2019-09-23 16:07:26.837 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] agent - An exception happened when converging configuration {:exception=>RuntimeError, :message=>"Could not fetch the configuration, message: Failed to import module configurations to Elasticsearch and/or Kibana. Module: netflow has Elasticsearch hosts: [\"localhost:9200\"] and Kibana hosts: [\"localhost:5601\"]", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/agent.rb:155:inconverge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:367:inblock in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}
[INFO ] 2019-09-23 16:07:27.056 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-09-23 16:07:32.119 [LogStash::Runner] runner - Logstash shut down.

2

Anyone?

3

I even try this but same error,

/usr/share/logstash/bin/logstash --modules netflow --setup -M "netflow.var.kibana.host=elktst10:5601" -M "netflow.var.input.udp.port=2055" -M "netflow.var.elasticsearch.hosts=elktst10:9200"

still stays localhost:9200 failed.

4

Oh well solved it finally. now to next step

/usr/share/logstash/bin/logstash --modules netflow --setup -M netflow.var.input.udp.port=2055 -M netflow.var.elasticsearch.hosts="elktst10:9200" -M netflow.var.kibana.host="elktst10:5601" -M netflow.var.elasticsearch.ssl.enabled="false" -M netflow.var.kibana.ssl.enabled="false"

5

it created netflow-* index pattern.
but no data or didn't created netflow index

still missing something, anyone?

6

Looks like default port is not working. how do I find out which port should I listen?

7

no good document or hardly any post about how to configure netflow.
ohhh well if I can work this out I will def put some document for next person. :slight_smile:

8

I put up this in logstash config file but still no luck
Try all kind of port nothing on every port. No output.

input {
    udp {
      host => "10.29.111.1"
      #port => 6343
      #port => 9995
      #port => 9996
      port => 2056
      codec => netflow
    }
  }

filter { }

  output {
    stdout { codec => rubydebug }
  }

Here is output. Hopefully someone from Elastic can see this and get some help

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.headius.backport9.modules.Modules (file:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-9.2.7.0.jar) to field java.io.FileDescriptor.fd
WARNING: Please consider reporting this to the maintainers of com.headius.backport9.modules.Modules
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Thread.exclusive is deprecated, use Thread::Mutex
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2019-09-24 14:48:21.569 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-09-24 14:48:21.581 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.3.1"}
[INFO ] 2019-09-24 14:48:22.915 [Converge PipelineAction::Create] Reflections - Reflections took 48 ms to scan 1 urls, producing 19 keys and 39 values
[WARN ] 2019-09-24 14:48:25.196 [[main]-pipeline-manager] LazyDelegatingGauge - A gauge metric of an unknown type (org.jruby.RubyArray) has been create for key: cluster_uuids. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
[INFO ] 2019-09-24 14:48:25.200 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>16, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2000, :thread=>"#<Thread:0x3d771db8 run>"}
[INFO ] 2019-09-24 14:48:25.257 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2019-09-24 14:48:25.312 [[main]<udp] udp - Starting UDP listener {:address=>"10.29.111.1:2056"}
[INFO ] 2019-09-24 14:48:25.336 [Ruby-0-Thread-1: /usr/share/logstash/lib/bootstrap/environment.rb:6] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[INFO ] 2019-09-24 14:48:25.379 [[main]<udp] udp - UDP listener started {:address=>"10.29.111.1:2056", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[INFO ] 2019-09-24 14:48:25.579 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}

9

ohh well I can't figure out this. I guess I will try to revisit this later or just drop this idea of doing netflow as I can't find anything and looks like no one here knows either.

10

I still can't see anything as index on elasticserch
logstash starts up ok with this module

Do I have to do anything else?

[2019-09-25T15:11:40,712][INFO ][logstash.javapipeline ] Starting pipeline {:pipeline_id=>"module-netflow", "pipeline.workers"=>16, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2000, :thread=>"#<Thread:0x51327c04 run>"}
[2019-09-25T15:11:40,787][INFO ][logstash.javapipeline ] Pipeline started {"pipeline.id"=>"module-netflow"}
[2019-09-25T15:11:40,853][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:2055"}
[2019-09-25T15:11:40,876][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:"module-netflow"], :non_running_pipelines=>}
[2019-09-25T15:11:40,926][INFO ][logstash.inputs.udp ] UDP listener started {:address=>"0.0.0.0:2055", :receive_buffer_bytes=>"212992", :queue_size=>"2000"}
[2019-09-25T15:11:41,288][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

11

finally giving up on netflow. nothing seems to work

12

Do the following.

run a tcpdump scoping the source IP and see what port you're receiving on

tcpdump -nn src host x.x.x.x

Make sure that's open in your firewall
make sure your configs call out that port

Put this in your output. Give logstash some time to start up. then make sure you're getting the flows in test.log

file {
path => "/var/log/logstash/test.log"
codec => "json_lines"
}

After that you know you're getting flows and you can work on the ES bit.

13

no luck

tcpdump -nn src host 10.29.111.1
tcpdump: NFLOG link-layer type filtering not implemented

So I use -i to define network name to avoide NFLOG.

tcpdump -i p1p1 -nn src host 10.29.111.1

here is output on display

13:55:52.342925 IP 10.29.111.1.22 > 10.25.16.102.55934: Flags [P.], seq 54089388:54089600, ack 11597, win 332, options [nop,nop,TS val 9986699 ecr 1868196530], length 212
13:55:52.342970 IP 10.29.111.1.22 > 10.25.16.102.55934: Flags [P.], seq 54089600:54089812, ack 11597, win 332, options [nop,nop,TS val 9986699 ecr 1868196530], length 212
13:55:52.343015 IP 10.29.111.1.22 > 10.25.16.102.55934: Flags [P.], seq 54089812:54090024, ack 11597, win 332, options [nop,nop,TS val 9986699 ecr 1868196530], length 212
13:55:52.343063 IP 10.29.111.1.22 > 10.25.16.102.55934: Flags [P.], seq 54090024:54090236, ack 11597, win 332, options [nop,nop,TS val 9986699 ecr 1868196530], length 212

nothing on log or index or standout

here is my config again if it make sense

input {
   udp {
      host => "10.29.111.1"
      port => 2055
      codec => netflow {
        netflow_definitions => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-netflow-4.2.1/lib/logstash/codecs/netflow/netflow.yaml"
        versions => [5,9]
      }
   }
}

filter { }

output {
    stdout { codec => rubydebug }
    elasticsearch {
      hosts => ["elktst10:9200"]
      index => "netflow-%{+YYYY.mm}"
   }
  file {
     path => "/tmp/sachin_netflow.log"
     codec => "json_lines"
  }
}
14

Alright finally I seee some light.

started logstash -f config file

on second window created connection to that port and type two line

nc houelktst10 -u 2055
hellow
now this

I got standout on first windows

[WARN ] 2019-09-26 14:09:20.651 [<udp.2] netflow - Ignoring Netflow version v28271
[WARN ] 2019-09-26 14:11:42.107 [<udp.1] netflow - Ignoring Netflow version v25702

this tells me there is no traffic flowing on 2055. what kind of traffic should I see with netflow?
am I using wrong port. should I be using different port?
I have oracle linux 7.5 running on this system.

15

am i reading this properly?

are you sending the flows to port 55934 ? you should call that out in your config if so.

16

no you read it wrong.

17

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.