Hello,
I'm pretty new to ELK, but I'm trying to get ELK stood up to collect Netflow data from our network devices. I'm also using the GeoIP location abilities and no matter what the messages that show up in elasticsearch are tagged with '_grokparsefailure' and '_geoip_lookup_failure'. Here is an example of a netflow record from logstash:
{
"netflow":{
"output_snmp":2,
"dst_as":0,
"dst_mask":22,
"in_pkts":2,
"ipv4_dst_addr":"10.0.2.124",
"src_tos":0,
"first_switched":"2017-02-05T02:21:27.999Z",
"flowset_id":256,
"l4_src_port":80,
"ipv4_next_hop":"10.0.2.124",
"src_mask":0,
"version":9,
"flow_seq_num":1549640,
"ipv4_src_addr":"173.192.194.67",
"in_bytes":128,
"protocol":6,
"last_switched":"2017-02-05T02:21:32.999Z",
"input_snmp":1,
"tcp_flags":24,
"flow_sampler_id":0,
"protocolIndentifierString":"TCP",
"l4_dst_port":55627,
"direction":1,
"src_as":0
},
"srcip":"173.192.194.67",
"dst_geoip":{
},
"@timestamp":"2017-02-05T02:21:45.000Z",
"geoip":{
"timezone":"America/New_York",
"ip":"173.192.194.67",
"latitude":38.9036,
"continent_code":"NA",
"city_name":"Chantilly",
"country_code2":"US",
"country_name":"United States",
"dma_code":511,
"country_code3":"US",
"region_name":"Virginia",
"location":[
-77.4512,
38.9036
],
"postal_code":"20151",
"longitude":-77.4512,
"region_code":"VA"
},
"@version":"1",
"host":"192.168.0.254",
"src_geoip":{
},
"dstip":"10.0.2.124",
"type":"netflow",
"tags":[
"_grokparsefailure",
"_geoip_lookup_failure"
]
}
I'm not really sure what I am doing wrong here, but does anyone have any ideas?