Syslog working. added NetFlow module and it stops

Like in the title. I have Syslog recieving data from multiple sources and indexing fine. I read up on the Netflow module and ran the --setup ok and it created all the needed indexes etc. when I add the following to the logstash.yml file netflow starts working but syslog STOP. it never opens the ports for syslog. if I comment out the netflow module then syslog starts? im missing something here

Ideas?

"# modules:"
"# - name: netflow"
"# var.input.udp.port: 2055"

without the quotes :slight_smile:

A few things...

  1. When you specify that you want to use the Netflow module Logstash is assuming that you want to load ONLY the Netflow module. While it is possible to load multiple pipelines with a single instance of Logstash in version 6.0 and above, I don't think the module setup lets you take advantage of this.

  2. Why use the Netflow module? It was originally created from ElastiFlow v1.0.0. ElastiFlow is now on v2.1.0, with an enhancement to better handle sampled Netflow to be added this week. Look at the releases page for ElastiFlow and you will see how far behind the Netflow module really is.

  3. If you are going to be collecting flow data in production for more than a handful of device, you will need to pay a lot of attention to how to best scale the collection and processing of the data. Giving ElastiFlow (or even the Netflow module) its own dedicated Logstash instance and resources is a recommended starting point.

Rob

Robert Cowart (rob@koiossian.com)
www.koiossian.com
True Turnkey SOLUTIONS for the Elastic Stack

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.