Troubleshooting Netflow Logs Display Issue in Kibana with Elasticsearch

Hello and good time to you,

I have installed Elasticsearch along with Kibana, and I installed the Netflow record on Kibana to receive Netflow from Cisco Switch 2960. However, the Cisco Netflow logs are not being displayed in order for me to design a dashboard for them. That's why I installed Filebeat on the Kibana server.

When I enter the command filebeat setup, I encounter the following error:

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://localhost:9200: Get "http://localhost:9200": EOF]

I have checked everything in Elasticsearch. The service is running and there doesn't seem to be any issues with Elasticsearch. However, when I use the following command: curl localhost:9200, I encounter the error: curl: (52) Empty reply from server.

When I use curl in the following format: curl https://192.168.3.95:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic, everything works fine and I get the following output:

{
  "name" : "elk",
  "cluster_name" : "elk.local",
  "cluster_uuid" : "_XQzrBqPQbaULAMZmOc84A",
  "version" : {
    "number" : "8.9.0",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "8aa461beb06aa0417a231c345a1b8c38fb498a0d",
    "build_date" : "2023-07-19T14:43:58.555259655Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

The configuration for the elasticsearch section in the filebeat.yml file is as follows:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.3.95:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
  
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "ODezoT8*T1MA3139Xu6N"

However, when I run the command filebeat setup, I encounter the following error:

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://192.168.3.95:9200: Get "http://192.168.3.95:9200": EOF]

To resolve this issue, I changed the value in the elasticsearch.yml file from xpack.security.enabled: true to xpack.security.enabled: false. However, Kibana stopped working and I had to reinstall it.

I only want to receive Netflow from Cisco Switch in Kibana and design a dashboard for it, but I don't know why it's not working. I was able to easily receive Netflow from the Cisco Switch in Graylog and design a dashboard for it. I expected to do the same without any issues in Kibana, but I have encountered several problems. I even enabled Logstash and configured it for receiving Netflow, but still, the Netflow logs are not being displayed in Kibana for me to design a dashboard. I have tried many things, and I no longer know what else to do. If you have any experience in this regard, please guide me to solve my problem. Otherwise, I may lose my work.

Hi @abntkpi

Leave security enabled in elasticsearch.

Elasticsearch is running on https so filebeat needs https

Try

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://192.168.3.95:9200"]
  ssl.verificatione_mode: none

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
  
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "ODezoT8*T1MA3139Xu6N"
1 Like

Thank you for your response. I applied the configuration you suggested and encountered the following error:

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.3.95:9200: Get "https://192.168.3.95:9200": x509: certificate signed by unknown authority]

I want to know what steps I need to take to have Netflow from Cisco switches in Kibana. I have tried various methods, but I haven't been successful in achieving the desired result.

I also have another question: Does Kibana have the capability to receive and process Netflow data from Cisco switches, similar to Graylog? Or should I consider handing over the project to Graylog for this purpose?

It's similar, but try with: ssl.verification_mode: none

More options

1 Like

Thank you, Rios, for the response you provided. However, the issue has not been resolved.

Sorry typo I had an extra e

ssl.verification_mode: none

Elastic can handle large volumes of netflow ... These issues have nothing to do with the capability to ingest Netflow...

These are connectivity issues to elasticsearch.

Don't worry stephenb.

abntkpi is still the same error? Should be solved by what stephenb suggested.
Also you can copy or use /etc/elasticsearch/certs/http_ca.crt to FB and set in filebeat.yml

@abntkpi can you run this and show the output?
Thanks @Rios

filebeat test output

1 Like

Dear @stephenb and @Rios ,
Hello. I have reinstalled Elasticsearch, Kibana, and Filebeat . As you mentioned, I added "ssl.verification_mode: none" to the filebeat.yml, and the first issue was resolved with your help, dear friends.
Now I will proceed to solve the second issue, which is related to Cisco Netflow. I hope I can succeed.
Thank you for your guidance.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.