Difference between revisions of "Logstash for IPFIX"

Revision as of 21:05, 9 May 2016

Logstash for IPFIX (Netflow V10) is on the way but in the meantime i've been able to get it working thus:

Nprobe I know, nprobe is commercial but i had it lying around so chose to use it. It can output in a variety of ways but in the base license model only zeromq and tcp methods allow direct output to logstash. My experience with zeromq was initially good but after a reinstall i couldn't get it working again, something wrong with the encoding or compression or something meant that logstash was seeing the data as garbage.

Switching to tcp output in json format got it working in the end so this is the nprobe config file, you'll note that local interface sniffing is disabled to it only listens for flows on port 2100:

# cat /etc/nprobe/nprobe-eth0.conf
-i none 
--collector-port 2100 
#--json-labels
#--zmq tcp://*:5000 
--tcp localhost:5000
-V10
-g=/var/run/nprobe-eth0.pid

And the nprobe init files:

touch /etc/nprobe/nprobe-eth0.start

@@ Line 4: / Line 4: @@
 I know, nprobe is commercial but i had it lying around so chose to use it.  It can output in a variety of ways but in the base license model only zeromq and tcp methods allow direct output to logstash.  My experience with zeromq was initially good but after a reinstall i couldn't get it working again, something wrong with the encoding or compression or something meant that logstash was seeing the data as garbage.
-Switching to tcp output in json format got it working in the end so this is the nprobe config file:
+Switching to tcp output in json format got it working in the end so this is the nprobe config file, you'll note that local interface sniffing is disabled to it only listens for flows on port 2100:
 <pre>