Sflow plugin dont work

ahiyaz · May 20, 2020, 6:30am

hi im new here
just install logstash as shipper toward Logz.io
ive install the sflow input plugin but i dont see logstash listening in any port.
i have filebeat installed on this agent as well for syslog collecting.
appreciate any help

thanks

netstat -unlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.53:53 0.0.0.0:* 957/systemd-resolve
udp 0 0 172.16.0.31:68 0.0.0.0:* 937/systemd-network
udp6 0 0 :::9000 :::* 2851/filebeat

netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 957/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2444/sshd
tcp6 0 0 :::22 :::* LISTEN 2444/sshd

this is my logstash.yml

" input {
sflow {
}
}
filter {

...

mutate {
add_field => { "token" => "token" }
}
}

output {
lumberjack {
hosts => ["listener"]
port => 5006
ssl_certificate => "/usr/share/logstash/keys/TrustExternalCARoot.crt"
codec => "json_lines"
}
} "

ptamba · May 20, 2020, 7:38am

sflow is a codec plugin , not an input plugin. you will need a relevant input plugin. for example, using udp on port 5140

input {
  udp {
    port => 5140
    codec => sflow 
  }
}

ahiyaz · May 20, 2020, 8:15am

thanks
ill try that.
it just that in "sflow plugin" document https://www.elastic.co/guide/en/logstash/5.2/plugins-codecs-sflow.html#_synopsis_179

they say that

sflow {
}

is a Required configuration options

ptamba · May 20, 2020, 9:29am

yeah sorry, you’re right on the sflow config part so it should be

input {
  udp {
    port => 5140
    codec => sflow {
                      }
  }
}

you will still need input plugin to receive data, then use appropriate codec to decode the incoming data

ahiyaz · May 20, 2020, 2:10pm

Hi

still dont work

my logstash.yaml look like this (by the way ive just added all these lines to the bottom of the file)

input {
udp {
port => 6344
codec => sflow {
}
}
}
filter {

...

mutate {
add_field => { "token" => "token" }
}
}

output {
lumberjack {
hosts => ["listener"]
port => 5006
ssl_certificate => "/usr/share/logstash/keys/TrustExternalCARoot.crt"
codec => "json_lines"
}
}

the sflow codec was installed with:
bin/logstash-plugin install logstash-codec-sflow

thanks for your help

ptamba · May 20, 2020, 2:22pm

are you receiving traffic in port 6344? you can verify it using tcpdump. also check any error messages in logstash

ahiyaz · May 20, 2020, 2:58pm

hi
the port is udp 6343 i had a typo in my logstash file
yes ive verified with tcpdump and do get
but still the logstash doesn't listen on this port
whats wired to me is that i see data in debug logstah i get many lines that indicates i get sflow data.

[DEBUG] 2020-05-20 14:34:16.762 [<udp.2] sflow - sample: {:sample_entreprise=>0, :sample_format=>1, :sample_length=>184, :sample_data=>{:flow_sequence_number=>25988, :source_id_type=>0, :source_id_index=>56, :sampling_rate=>3000, :sample_pool=>77967000, :drops=>0, :input_interface=>29, :output_interface=>56, :record_count=>1, :records=>[{:record_entreprise=>0, :record_format=>1, :record_length=>144, :record_data=>{:protocol=>1, :frame_length=>218, :stripped=>4, :header_size=>128, :sample_header=>{:eth_dst=>"80:5e:c0:81:b0:97", :eth_src=>"00:09:0f:09:64:12", :eth_type=>2048, :eth_data=>{:ip_version=>4, :ip_header_length=>5, :ip_dscp=>24, :ip_ecn=>0, :ip_total_length=>200, :ip_identification=>33834, :ip_flags=>2, :ip_fragment_offset=>0, :ip_ttl=>53, :ip_protocol=>17, :ip_checksum=>38331, :src_ip=>"95.179.244.94", :dst_ip=>"192.168.22.37", :ip_data=>{:src_port=>31464, :dst_port=>12560, :udp_length=>180, :udp_checksum=>48750, :data=>642118823766955424167041796107550112135980852360753918315576936389400020387895746999260112657623053835706227941401018769756421331875833725747028020138910592819586463669544349370893188122784133375678226544550}}}}}]}}
{
"sample_pool" => "77967000",
"eth_dst" => "80:5e:c0:81:b0:97",
"ip_protocol" => "17",
"ip_version" => "4",
"stripped" => "4",
"dst_port" => "12560",
"frame_length" => "218",
"agent_ip" => "172.16.0.1",
"@timestamp" => 2020-05-20T14:34:16.769Z,
"@version" => "1",
"frame_length_times_sampling_rate" => 654000,
"host" => "172.16.0.1",
"dst_ip" => "192.168.22.37",
"input_interface" => "29",
"drops" => "0",
"eth_src" => "00:09:0f:09:64:12",
"source_id_type" => "0",
"src_port" => "31464",
"eth_type" => "2048",
"sflow_type" => "flow_sample",
"sub_agent_id" => "0",
"sampling_rate" => "3000",
"uptime_in_ms" => "3407960366",
"source_id_index" => "56",
"output_interface" => "56",
"protocol" => "1",
"src_ip" => "95.179.244.94"
}

how can it be??

by the way i get a warning regarding using java ver 11.

ahiyaz · May 20, 2020, 3:00pm

ooh
and i dont have any logs under /var/log/logstash.
what did you meant by look for errors in logstash?

ptamba · May 20, 2020, 3:07pm

so your logstash is receiving logs. whats the issue then?

ahiyaz · May 20, 2020, 3:14pm

you are right
i was stack on that i cant see it listening to the port (that it is wired)
but the bottom line it get the data!

now ill go and check my output, due to that i cant see the data on my logz.io account.

thank you for your help

system · June 17, 2020, 3:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.