Unable to Start NetFlow

Elastic Stack Logstash
1

ELK Stack 6.1.1 on Server 2012 VMWare guest, all applications on a single host.
All applications are configured to run as services. (Used NSSM for LogStash and Kibana)
LogStash heap is set to 8GB
ElasticSearch heap is 4GB
I've tried the below with services running and stopped with no change in error.

When I run:
logstash --modules netflow --setup -M netflow.var.input.udp.port=2055

I get error:
Error occurred during initialization of VM
Could not reserve enough space for object heap

I then tried to configure the module in the logstash.yml:

  • name: netflow
    var.input.udp.port: 2055
    var.elasticsearch.hosts: HostIP:9200
    var.elasticsearch.username: elastic
    var.elasticsearch.password: changeme
    var.kibana.host: FQDN:5601

On restart of LogStash, the following lines go on repeat over and over until I stop the service:
[2018-01-30T13:01:15,313][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache.disabled", :directory=>"D:/ELKStack/LogStash/modules/fb_apache.disabled/configuration"}
[2018-01-30T13:01:15,328][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"D:/ELKStack/LogStash/modules/netflow/configuration"}
[2018-01-30T13:01:16,377][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"arcsight", :directory=>"D:/ELKStack/LogStash/vendor/bundle/jruby/2.3.0/gems/x-pack-6.1.1-java/modules/arcsight/configuration"}
[2018-01-30T13:01:16,657][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified

2

This is not a direct answer to your question, but if you want to collect Netflow data with the Elastic Stack, you may want to try this...

The Logstash Netflow module was based on release v1.0.0 of ElastiFlow and is actually pretty far behind at this point. Setup is a bit more manual with ElastiFlow, but I think you will find the results worth the effort. (NOTE: I hope to release ElastiFlow 2.0.0 in early Feb. which will also include IPFIX and sFlow support)

Since you are on 6.1.1 it is probably also worth mentioning that both the Logstash Module and ElastiFlow make significant use of pie charts, which are rendered poorly in 6.1.x (https://github.com/elastic/kibana/issues/15594). If you want a work-around you might want to consider this...

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.