Hello,
I'm trying to use ELK to collect netflows. I'm using logstash 2.3.3 . But when I use the configuration option 'definitions' I get the error "Unknown setting 'definitions' for netflow". Here's my config file below:
udp {
port => 4739
codec => netflow {
definitions => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-netflow-2.1.0/lib/logstash/codecs/netflow/netflow.yaml"
versions => [9]
}
}
+1 !!
It works with Logstash 2.3.2, but not with Logstash 2.3.3 for me
So you mean that I should downgrade to 2.3.2 ??
I downgrade to 2.3.2 because I can't resolve this issue in 2.3.3
But I will try to find the problem, and if I find the solution, I will post a comment here.
Thank you. 
Did you try to capture ipfix or you are just capturing netflow?
Just "Flexible NetFlow (v9)" (for Cisco NX-OS and Cisco ASA) but one day I will try with IPFIX to see differences between IPFIX and NF
It's very strange.
When I test the configuration file with "service logstash configtest" in Logstash 2.3.2, the output is :
"Configuration OK"
But in Logstash 2.3.3 I have :
"Unknown setting 'definitions' for netflow {:level=>:error}
The given configuration is invalid. Reason: Something is wrong with your configuration. {:level=>:fatal}"
It's the same for you ? Do you tried with Logstash 2.3.2 ?
Your configuration file seems good. I think that this issue is bound to the version of Logstash. Maybe plugin NetFlow is not compatible with this upgrade. I continue to search.
Logstash 2.3.3 included a upgrade of the netflow codec from 2.0.5 to 2.1.0. It appears 2.1.0 replaced definitions with netflow_definitions and ipfix_definitions. It seems the Logstash 2.3 documentation listed as current on elastic.co doesn't actually include this update, but you can read the raw documentation at https://github.com/logstash-plugins/logstash-codec-netflow/blob/v2.1.0/lib/logstash/codecs/netflow.rb.
Oh nice it works !! Thanks
Yes, thank you it worked perfectly. But I just have one more inquiry, Is there a problem to collect ipfix flows using netflow codec if I used ipfix definitions like the configuration below? Or do I have to use ipfix codec? Because I'm facing dependency problems while installing logstash-codec-ipfix.
input { udp { port => 4739 codec => netflow { netflow_definitions => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-netflow-2.1.0/lib/logstash/codecs/netflow/ipfix.yaml" versions => [10] target => ipfix } type => ipfix } }output {
stdout { codec => rubydebug }
elasticsearch {
index => "logstash_ipfix-%{+YYYY.MM.dd}"
hosts => "localhost"
}
}
Error log:
No matching template for flow id 271 {:level=>:warn, :file=>"logstash/codecs/netflow.rb", :line=>"409", :method=>"decode_ipfix"}
I know this error. You recover a field who is not referency in the netflow codec.
What is your IPFIX configuration on your router ?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.