Sflow plugin dont work

Elastic Stack Logstash
1

hi im new here
just install logstash as shipper toward Logz.io
ive install the sflow input plugin but i dont see logstash listening in any port.
i have filebeat installed on this agent as well for syslog collecting.
appreciate any help

thanks

netstat -unlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.53:53 0.0.0.0:* 957/systemd-resolve
udp 0 0 172.16.0.31:68 0.0.0.0:* 937/systemd-network
udp6 0 0 :::9000 :::* 2851/filebeat

netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 957/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2444/sshd
tcp6 0 0 :::22 :::* LISTEN 2444/sshd

this is my logstash.yml

" input {
sflow {
}
}
filter {

...

...

mutate {
add_field => { "token" => "token" }
}
}

output {
lumberjack {
hosts => ["listener"]
port => 5006
ssl_certificate => "/usr/share/logstash/keys/TrustExternalCARoot.crt"
codec => "json_lines"
}
} "

2

sflow is a codec plugin , not an input plugin. you will need a relevant input plugin. for example, using udp on port 5140

input {
  udp {
    port => 5140
    codec => sflow 
  }
}
1 Like
3

thanks
ill try that.
it just that in "sflow plugin" document https://www.elastic.co/guide/en/logstash/5.2/plugins-codecs-sflow.html#_synopsis_179

they say that

sflow {
}

is a Required configuration options

4

yeah sorry, you’re right on the sflow config part so it should be

input {
  udp {
    port => 5140
    codec => sflow {
                      }
  }
}

you will still need input plugin to receive data, then use appropriate codec to decode the incoming data

5

Hi

still dont work

my logstash.yaml look like this (by the way ive just added all these lines to the bottom of the file)

input {
udp {
port => 6344
codec => sflow {
}
}
}
filter {

...

...

mutate {
add_field => { "token" => "token" }
}
}

output {
lumberjack {
hosts => ["listener"]
port => 5006
ssl_certificate => "/usr/share/logstash/keys/TrustExternalCARoot.crt"
codec => "json_lines"
}
}

the sflow codec was installed with:
bin/logstash-plugin install logstash-codec-sflow

thanks for your help

6

are you receiving traffic in port 6344? you can verify it using tcpdump. also check any error messages in logstash

7

hi
the port is udp 6343 i had a typo in my logstash file
yes ive verified with tcpdump and do get
but still the logstash doesn't listen on this port
whats wired to me is that i see data in debug logstah i get many lines that indicates i get sflow data.

[DEBUG] 2020-05-20 14:34:16.762 [<udp.2] sflow - sample: {:sample_entreprise=>0, :sample_format=>1, :sample_length=>184, :sample_data=>{:flow_sequence_number=>25988, :source_id_type=>0, :source_id_index=>56, :sampling_rate=>3000, :sample_pool=>77967000, :drops=>0, :input_interface=>29, :output_interface=>56, :record_count=>1, :records=>[{:record_entreprise=>0, :record_format=>1, :record_length=>144, :record_data=>{:protocol=>1, :frame_length=>218, :stripped=>4, :header_size=>128, :sample_header=>{:eth_dst=>"80:5e:c0:81:b0:97", :eth_src=>"00:09:0f:09:64:12", :eth_type=>2048, :eth_data=>{:ip_version=>4, :ip_header_length=>5, :ip_dscp=>24, :ip_ecn=>0, :ip_total_length=>200, :ip_identification=>33834, :ip_flags=>2, :ip_fragment_offset=>0, :ip_ttl=>53, :ip_protocol=>17, :ip_checksum=>38331, :src_ip=>"95.179.244.94", :dst_ip=>"192.168.22.37", :ip_data=>{:src_port=>31464, :dst_port=>12560, :udp_length=>180, :udp_checksum=>48750, :data=>642118823766955424167041796107550112135980852360753918315576936389400020387895746999260112657623053835706227941401018769756421331875833725747028020138910592819586463669544349370893188122784133375678226544550}}}}}]}}
{
"sample_pool" => "77967000",
"eth_dst" => "80:5e:c0:81:b0:97",
"ip_protocol" => "17",
"ip_version" => "4",
"stripped" => "4",
"dst_port" => "12560",
"frame_length" => "218",
"agent_ip" => "172.16.0.1",
"@timestamp" => 2020-05-20T14:34:16.769Z,
"@version" => "1",
"frame_length_times_sampling_rate" => 654000,
"host" => "172.16.0.1",
"dst_ip" => "192.168.22.37",
"input_interface" => "29",
"drops" => "0",
"eth_src" => "00:09:0f:09:64:12",
"source_id_type" => "0",
"src_port" => "31464",
"eth_type" => "2048",
"sflow_type" => "flow_sample",
"sub_agent_id" => "0",
"sampling_rate" => "3000",
"uptime_in_ms" => "3407960366",
"source_id_index" => "56",
"output_interface" => "56",
"protocol" => "1",
"src_ip" => "95.179.244.94"
}

how can it be??

by the way i get a warning regarding using java ver 11.

8

ooh
and i dont have any logs under /var/log/logstash.
what did you meant by look for errors in logstash?

9

so your logstash is receiving logs. whats the issue then?

10

you are right
i was stack on that i cant see it listening to the port (that it is wired)
but the bottom line it get the data!

now ill go and check my output, due to that i cant see the data on my logz.io account.

thank you for your help

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.