This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
elk [2016/01/27 20:55] ben |
elk [2016/01/28 22:56] ben |
||
---|---|---|---|
Line 4: | Line 4: | ||
* Define a template mapping for the netflow data, mapping the fields to the correct datatypes: <code bash> | * Define a template mapping for the netflow data, mapping the fields to the correct datatypes: <code bash> | ||
- | curl -XPUT http:// | + | curl -XPUT http:// |
- | " | + | " |
" | " | ||
" | " | ||
Line 49: | Line 49: | ||
" | " | ||
" | " | ||
- | " | + | " |
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
}, | }, | ||
" | " | ||
Line 57: | Line 61: | ||
} | } | ||
}' | }' | ||
+ | </ | ||
+ | * Copy the '' | ||
+ | # Changed from 2->4 | ||
+ | 10: | ||
+ | - 4 | ||
+ | - :input_snmp | ||
+ | 14: | ||
+ | - 4 | ||
+ | - : | ||
+ | |||
+ | # Changed from uint24-> | ||
+ | 31: | ||
+ | - :uint32 | ||
+ | - : | ||
+ | |||
+ | # Add these entries: | ||
+ | 225: | ||
+ | - :ip4_addr | ||
+ | - : | ||
+ | 226: | ||
+ | - :ip4_addr | ||
+ | - : | ||
+ | 227: | ||
+ | - :uint16 | ||
+ | - : | ||
+ | 228: | ||
+ | - :uint16 | ||
+ | - : | ||
</ | </ | ||
* Setup a listening UDP port to receive the UDP data, and feed it into the netflow indexes in elasticsearch: | * Setup a listening UDP port to receive the UDP data, and feed it into the netflow indexes in elasticsearch: | ||
input { | input { | ||
udp { | udp { | ||
- | port => 9995 | + | port => 9996 |
codec => netflow { | codec => netflow { | ||
- | | + | |
- | # and lacks built-in templates for id=256,257 leading to errors and no data | + | |
- | | + | |
} | } | ||
- | type => "netflow" | + | type => "netflow9" |
} | } | ||
} | } | ||
Line 78: | Line 109: | ||
} | } | ||
</ | </ | ||
- | * In Kibana Settings, add a new index pattern for '' | + | * In Kibana Settings, add a new index pattern for '' |
- | * Enable '' | + | * Enable '' |
- | * Verify data is being indexed by doing a search on '' | + | * Verify data is being indexed by doing a search on '' |
+ | |||
+ | The following warnings will show up briefly when logstash first starts. This is because the templates needed to understand the netflow messages are published in-band on a regular basis, and when logstash first starts up it might not have seen a copy of the templates before flow data is received. Once the template message is received (defaulting to 20 packets on the mikrtoik boards), these messages will cease: <code text> | ||
+ | Jan 28 22:40:08 silverhold logstash[9496]: | ||
+ | Jan 28 22:40:09 silverhold logstash[9496]: | ||
+ | </ | ||
+ | |||
+ | ====== Bugs ====== | ||
+ | |||
+ | ===== wrong number of arguments calling `to_s` (1 for 0) ===== | ||
+ | |||
+ | * Bug report: [[https:// | ||
+ | * Workaround: [[https:// |