I cannot get my mikrotik router Traffic Flow data to appear in elasticstack with my fleet elastic-agent.
Wireshark shows that the data is coming in (and fails when elastic-agent is restarting). sudo softflowd -v 5 -D -i <mikrotik-connected-interface> -t maxlife=1 -p udp -n <my-ip>:2055 works
I've tried:
changing mikrotik traffic-flow settings to have src-address on same subnet, and version=5/ipfix (as well as the default 9 that is not listed as supported)
netflow_host=0.0.0.0
setting my netflow internal_networks to "0.0.0.0/0"
After turning agent debug logging on I get messages like
{"log.level":"debug","@timestamp":"2023-11-02T02:07:26.008Z","message":"PublishEvents: 16 events have been published to elasticsearch in 27.847913ms.","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"netflow-default","type":"netflow"},"log":{"source":"netflow-default"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"elasticsearch","log.origin":{"file.line":264,"file.name":"elasticsearch/client.go"},"ecs.version":"1.6.0"}
and the Agent Metrics dashboard does indeed show that the events are streaming in (I had syslogs on before, making things difficult to see).
Now I just need to figure out what's happening in the elastic store to hide/drop these events...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.