Troubleshooting Netflow Logs Display Issue in Kibana with Elasticsearch

Elastic Stack Kibana
1

Hello and good time to you,

I have installed Elasticsearch along with Kibana, and I installed the Netflow record on Kibana to receive Netflow from Cisco Switch 2960. However, the Cisco Netflow logs are not being displayed in order for me to design a dashboard for them. That's why I installed Filebeat on the Kibana server.

When I enter the command filebeat setup, I encounter the following error:

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://localhost:9200: Get "http://localhost:9200": EOF]

I have checked everything in Elasticsearch. The service is running and there doesn't seem to be any issues with Elasticsearch. However, when I use the following command: curl localhost:9200, I encounter the error: curl: (52) Empty reply from server.

When I use curl in the following format: curl https://192.168.3.95:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic, everything works fine and I get the following output:

{
  "name" : "elk",
  "cluster_name" : "elk.local",
  "cluster_uuid" : "_XQzrBqPQbaULAMZmOc84A",
  "version" : {
    "number" : "8.9.0",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "8aa461beb06aa0417a231c345a1b8c38fb498a0d",
    "build_date" : "2023-07-19T14:43:58.555259655Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

The configuration for the elasticsearch section in the filebeat.yml file is as follows:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.3.95:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
  
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "ODezoT8*T1MA3139Xu6N"

However, when I run the command filebeat setup, I encounter the following error:

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://192.168.3.95:9200: Get "http://192.168.3.95:9200": EOF]

To resolve this issue, I changed the value in the elasticsearch.yml file from xpack.security.enabled: true to xpack.security.enabled: false. However, Kibana stopped working and I had to reinstall it.

I only want to receive Netflow from Cisco Switch in Kibana and design a dashboard for it, but I don't know why it's not working. I was able to easily receive Netflow from the Cisco Switch in Graylog and design a dashboard for it. I expected to do the same without any issues in Kibana, but I have encountered several problems. I even enabled Logstash and configured it for receiving Netflow, but still, the Netflow logs are not being displayed in Kibana for me to design a dashboard. I have tried many things, and I no longer know what else to do. If you have any experience in this regard, please guide me to solve my problem. Otherwise, I may lose my work.

2

Hi @abntkpi

Leave security enabled in elasticsearch.

Elasticsearch is running on https so filebeat needs https

Try

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://192.168.3.95:9200"]
  ssl.verificatione_mode: none

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
  
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "ODezoT8*T1MA3139Xu6N"
1 Like
3

Thank you for your response. I applied the configuration you suggested and encountered the following error:

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.3.95:9200: Get "https://192.168.3.95:9200": x509: certificate signed by unknown authority]

I want to know what steps I need to take to have Netflow from Cisco switches in Kibana. I have tried various methods, but I haven't been successful in achieving the desired result.

I also have another question: Does Kibana have the capability to receive and process Netflow data from Cisco switches, similar to Graylog? Or should I consider handing over the project to Graylog for this purpose?

4

It's similar, but try with: ssl.verification_mode: none

More options

1 Like
5

Thank you, Rios, for the response you provided. However, the issue has not been resolved.

6

Sorry typo I had an extra e

ssl.verification_mode: none

Elastic can handle large volumes of netflow ... These issues have nothing to do with the capability to ingest Netflow...

These are connectivity issues to elasticsearch.

7

Don't worry stephenb.

abntkpi is still the same error? Should be solved by what stephenb suggested.
Also you can copy or use /etc/elasticsearch/certs/http_ca.crt to FB and set in filebeat.yml

8

@abntkpi can you run this and show the output?
Thanks @Rios

filebeat test output

1 Like
9

Dear @stephenb and @Rios ,
Hello. I have reinstalled Elasticsearch, Kibana, and Filebeat . As you mentioned, I added "ssl.verification_mode: none" to the filebeat.yml, and the first issue was resolved with your help, dear friends.
Now I will proceed to solve the second issue, which is related to Cisco Netflow. I hope I can succeed.
Thank you for your guidance.

1 Like
10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.