Not able to use Elastisearch out of network

Elastic Stack Logstash
1

Hey everybody!

I am trying to create a network scenario for flow capture using YAF to export the flows on to logstash to view them on Kibana using elastiflow. This works great if all the devices are on the same network, however, if I have YAF running on a machine in a different network I get this error:

[2018-11-09T15:07:10,474][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"elastiflow-3.3.0-2018.11.07", :_type=>"doc", :_routing=>nil}, #LogStash::Event:0x58f719ad], :response=>{"index"=>{"_index"=>"elastiflow-3.3.0-2018.11.07", "_type"=>"doc", "_id"=>"FxID-WYB72rh-BUfOnvm", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [node.ipaddr]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'_gateway' is not an IP string literal."}}}}}

_gateway is apparently coming from a DNSD server:
"53/udp open domain NetWare dnsd"
However, I have no idea where this is coming from where I can't find where this configuration is coming from.

Any advice? Thank you!

2

It looks like something is using a variable of "_gateway" instead of an IP address and the elasticsearch output is failing because the word "_gateway" does not follow the proper ip address format.
You could try putting in an if statement into your logstash filter to change "_gateway" to a dummy IP address so that you can at least see what is causing the problem.

3

Hi.
A problem of this kind is happening to me too.

When I export IPFIX flows via TCP or UDP to logstach within the same network, no problem. I can see the IPFIX flows in Elastiflow Kibana Dashboards.

When I have the IPFIX exporter on a different network than the ELK server, I can only decode IPFIX flows exported via UDP to the logstach. TCP dosen't work.

The error is identical to the presented by @iastroleo. It seems that there is some modification in the IP address field and it is replaced by a DNS name associated with it.

Can someone help.
Thanks in advance.