Not able to visualise netflow data in kibana

csudaya · March 22, 2018, 5:38pm

Hi -

I have installed ELK stack and started the services. Using a nflow generator , generating netflow version 5 packets. I can see the packaets reaching the server and dictionary file getting refreshed in logstash .

However the dashboard is empty.

In elastic search deprecation log , I can see the below.

[2018-02-17T21:40:17,889][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]
[2018-02-17T21:40:17,889][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]
[2018-02-17T21:40:29,022][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]
[2018-02-17T21:40:29,022][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]
[2018-02-17T21:40:29,022][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]
[2018-02-17T21:40:29,027][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]
[2018-02-17T21:41:18,047][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]
[2018-02-17T21:41:18,054][WARN ][o.e.d.c.ParseField ] Deprecated field [all_fields] used, replaced by [Set [fields] to * instead]

can anyone tell me what is wrong here ?

yaauie · March 22, 2018, 8:31pm

What is the module configuration in your Logstash configuration?
Do the Logstash logs indicate that anything is amiss?

csudaya · March 23, 2018, 1:49am

netflow.conf is the default configuration coming as part of installation.

No error in logstash.log.

csudaya · March 23, 2018, 1:51am

I got this post in the forum - Logstash-codec-netflow does not accept netflow packets coming from a different IP subnet

Is it true netflow generator has to be in same subnet ?

rcowart · March 23, 2018, 7:38am

First. There is absolutely no requirement that the collector be on the same subnet as the device exporting the flow data. That user likely had another networking issue, or may have been on the other side of a NAT which affected the source IP addresses of the Flow packets (which is a network issue).

This isn't really directly related to your issue. However if you are serious about collecting Netflow (as well as sFlow and IPFIX) with the Elastic Stack, you may want to consider ElastiFlow (https://github.com/robcowart/elastiflow).

The Logstash Netflow Module was actually based on v1.0.0 of ElastiFlow (it is basically just v1.0.0 implemented as a Logstash Module). However ElastiFlow is now at v2.2.0, and the Master branch has some updates that will become 2.3 over the weekend (so if you try it, use the master branch). You can review the notes for each release to see what has changed since v1.0.0.

system · April 20, 2018, 7:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.