Problem configuring netflow in elk stack


(Juggernaut Panda) #1

Hello. I've configured the elk stack and now I want to add netflow to logstash.

I've made the necessary configuration files and even edited the modules in logstash.yml to enable netflow.

However, I continue to get Timelion: Error: in cell #1: Elasticsearch index not found: netflow-*
and visualize: Error: in cell #1: Elasticsearch index not found: netflow-*

The following can be seen in the dashboard: No data is being shown.

Please tell me if I am missing something. Should I do something with Elastic search as well?

I binded netflow with 2055 port with the following command:

/usr/share/logstash/bin# ./logstash --modules netflow -M netflow.var.input.udp.port=2055 --path.settings=/etc/logstash
Sending Logstash's logs to /usr/share/logstash/logs which is now configured via log4j2.properties


(Juggernaut Panda) #2

Bump. Can anyone assist me on this problem?

I can give the config files that will be asked.

I see the problem with elastic search indices for netflow.


(Sarlacpit) #3

I have been having a identical problem whereas there is no netflow index being created and never found an answer.

Did port 2055 open up?
Can you show your config from logstash.yml please? (remember to use the code formatting)

Thanks


(Juggernaut Panda) #4

No, the port didnt open up.

I did netstat -an|grep 2055 only to find no results.

Below is my logstash.yml

Settings file in YAML

Settings can be specified either in hierarchical form, e.g.:

pipeline:

batch:

size: 125

delay: 5

Or as flat keys:

pipeline.batch.size: 125

pipeline.batch.delay: 5

------------ Node identity ------------

Use a descriptive name for the node:

node.name: test

If omitted the node name will default to the machine's host name

------------ Data path ------------------

Which directory should be used by logstash and its plugins

for any persistent needs. Defaults to LOGSTASH_HOME/data

path.data: /var/lib/logstash

------------ Pipeline Settings --------------

Set the number of workers that will, in parallel, execute the filters+outputs

stage of the pipeline.

This defaults to the number of the host's CPU cores.

pipeline.workers: 2

How many workers should be used per output plugin instance

pipeline.output.workers: 1

How many events to retrieve from inputs before sending to filters+workers

pipeline.batch.size: 125

How long to wait before dispatching an undersized batch to filters+workers

Value is in milliseconds.

pipeline.batch.delay: 5

Force Logstash to exit during shutdown even if there are still inflight

events in memory. By default, logstash will refuse to quit until all

received events have been pushed to the outputs.

WARNING: enabling this can lead to data loss during shutdown

pipeline.unsafe_shutdown: false

------------ Pipeline Configuration Settings --------------

Where to fetch the pipeline configuration for the main pipeline

path.config: /etc/logstash/conf.d/*.conf

Pipeline configuration string for the main pipeline

config.string:

At startup, test if the configuration is valid and exit (dry run)

config.test_and_exit: false

Periodically check if the configuration has changed and reload the pipeline

This can also be triggered manually through the SIGHUP signal

config.reload.automatic: false

How often to check if the pipeline configuration has changed (in seconds)

config.reload.interval: 3s

Show fully compiled configuration as debug log message

NOTE: --log.level must be 'debug'

config.debug: false

When enabled, process escaped characters such as \n and " in strings in the

pipeline configuration files.

config.support_escapes: false

------------ Module Settings ---------------

Define modules here. Modules definitions must be defined as an array.

The simple way to see this is to prepend each name with a -, and keep

all associated variables under the name they are associated with, and

above the next, like this:

modules:
- name: netflow
var.input.udp.port: 2055

var.PLUGINTYPE1.PLUGINNAME1.KEY2: VALUE

var.PLUGINTYPE2.PLUGINNAME1.KEY1: VALUE

var.PLUGINTYPE3.PLUGINNAME3.KEY1: VALUE

Module variable names must be in the format of

var.PLUGIN_TYPE.PLUGIN_NAME.KEY

modules:

#- name: netflow

var.input.udp.port: 2055

------------ Cloud Settings ---------------

Define Elastic Cloud settings here.

Format of cloud.id is a base64 value e.g. dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRub3RhcmVhbCRpZGVudGlmaWVy

and it may have an label prefix e.g. staging:dXMtZ...

This will overwrite 'var.elasticsearch.hosts' and 'var.kibana.host'

cloud.id:

Format of cloud.auth is: :

This is optional

If supplied this will overwrite 'var.elasticsearch.username' and 'var.elasticsearch.password'

If supplied this will overwrite 'var.kibana.username' and 'var.kibana.password'

cloud.auth: elastic:

------------ Queuing Settings --------------

Internal queuing model, "memory" for legacy in-memory based queuing and

"persisted" for disk-based acked queueing. Defaults is memory

queue.type: memory

If using queue.type: persisted, the directory path where the data files will be stored.

Default is path.data/queue

path.queue:

If using queue.type: persisted, the page data files size. The queue data consists of

append-only data files separated into pages. Default is 250mb

queue.page_capacity: 250mb

If using queue.type: persisted, the maximum number of unread events in the queue.

Default is 0 (unlimited)

queue.max_events: 0

If using queue.type: persisted, the total capacity of the queue in number of bytes.

If you would like more unacked events to be buffered in Logstash, you can increase the

capacity using this setting. Please make sure your disk drive has capacity greater than

the size specified here. If both max_bytes and max_events are specified, Logstash will pick

whichever criteria is reached first

Default is 1024mb or 1gb

queue.max_bytes: 1024mb

If using queue.type: persisted, the maximum number of acked events before forcing a checkpoint

Default is 1024, 0 for unlimited

queue.checkpoint.acks: 1024

If using queue.type: persisted, the maximum number of written events before forcing a checkpoint

Default is 1024, 0 for unlimited

queue.checkpoint.writes: 1024

If using queue.type: persisted, the interval in milliseconds when a checkpoint is forced on the head page

Default is 1000, 0 for no periodic checkpoint.

queue.checkpoint.interval: 1000

------------ Dead-Letter Queue Settings --------------

Flag to turn on dead-letter queue.

dead_letter_queue.enable: false

If using dead_letter_queue.enable: true, the maximum size of each dead letter queue. Entries

will be dropped if they would increase the size of the dead letter queue beyond this setting.

Default is 1024mb

dead_letter_queue.max_bytes: 1024mb

If using dead_letter_queue.enable: true, the directory path where the data files will be stored.

Default is path.data/dead_letter_queue

path.dead_letter_queue:

------------ Metrics Settings --------------

Bind address for the metrics REST endpoint

http.host: "127.0.0.1"

Bind port for the metrics REST endpoint, this option also accept a range

(9600-9700) and logstash will pick up the first available ports.

http.port: 9600-9700

------------ Debugging Settings --------------

Options for log.level:

* fatal

* error

* warn

* info (default)

* debug

* trace

log.level: info

path.logs: /var/log/logstash

------------ Other Settings --------------

Where to find custom plugins

path.plugins: []


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.