Open jsvd opened 9 years ago
Maybe interesting https://github.com/NETWAYS/sflow
Is there an ETA on when this will be implemented?
@TheSeraph I don't know if anyone is working on this, so there is no ETA.
Bummer, it's hard to work around non native support of such a detailed data stream!
We have sflow with logstash in semi production. We use the logstash pipe-input plugin with the official sflowtool (http://blog.sflow.com/2011/12/sflowtool.html).
This is working quite well.
Config:
input {
pipe {
type => "sflow"
command => "/usr/bin/sflowtool_wrapper.sh -l -p 6343"
}
}
The only gotcha is, the sflowtool doesn't get killed when logstash is terminated. This ist why we use the following wrapper-script.
#!/bin/bash
#
# Wrapper script for sflowtool when used in pipe input in logstash.
# This wrapper script ensures that the sflowtool is not running prior to start of the sflowtool.
ARGS="$@"
SFLOWTOOL_PID=$(/bin/ps -ef | /bin/grep "/usr/bin/sflowtool $ARGS" | /bin/grep -v "grep" | /bin/awk ' { print $2 } ')
if [ ! -z $SFLOWTOOL_PID ]; then
kill -s 9 $SFLOWTOOL_PID
fi
/usr/bin/sflowtool "$@"
Man, amazing! This does seem to work quite well for me at least. Now I just have to filter it into some useable patterns which will be another learning experience (I'm a bit of an ELK n00b)
On Wed, Mar 11, 2015 at 9:29 AM, Lucas Bremgartner <notifications@github.com
wrote:
We have sflow with logstash in semi production. We use the logstash pipe-input plugin with the official sflowtool ( http://blog.sflow.com/2011/12/sflowtool.html).
This is working quite well.
Config:
input { pipe { type => "sflow" command => "/usr/bin/sflowtool_wrapper.sh -l -p 6343" } }
The only gotcha is, the sflowtool doesn't get killed when logstash is terminated. This ist why we use the following wrapper-script.
!/bin/bash
#
Wrapper script for sflowtool when used in pipe input in logstash.
This wrapper script ensures that the sflowtool is not running prior to start of the sflowtool.
ARGS="$@" SFLOWTOOL_PID=$(/bin/ps -ef | /bin/grep "/usr/bin/sflowtool $ARGS" | /bin/grep -v "grep" | /bin/awk ' { print $2 } ')
if [ ! -z $SFLOWTOOL_PID ]; then kill -s 9 $SFLOWTOOL_PID fi /usr/bin/sflowtool "$@"
— Reply to this email directly or view it on GitHub https://github.com/elastic/logstash/issues/2524#issuecomment-78262371.
Thanks, Troy Cunningham 514 758.5595 Troy@Arkferos.com
I stated on a filter a while back … its a bit of a nightmare but here you go .. it does work to a point but probs not the best way to solve the use case.
Hi,
I am starting on working on an sflow codec for logstash. You can find it here: https://github.com/ashangit/logstash-codec-sflow (it is not available on rubygems so far). I have tested it with some sflow sample of type counters and flow send by an F5 loadbalancer and so far it seems to decrypt well those sflow records. It will be really great if some of you guys can test it and comment it.
Hi,
Will the logstash plugin your working on support both CNTRs and FLOWs?
Hi,
Yes, this codec already manage flow sample and counter flow.
For the flow sample it is able to decode Ethernet, IPv4, UDP and TCP header
For the counter flow it is able to decode some records of type:
Would be good if there was one plugin instead of now, if i count correctly, 5 ... ;-)
@ashangit if you'd be so kind as to submit a separate request to us to add this plugin, that's how the review process will get started. You could even still remain as a ]community maintainer](https://www.elastic.co/guide/en/logstash/current/community-maintainer.html) if you are so inclined.
@untergeek here is the created issue for the migration of this plugin: https://github.com/elastic/logstash/issues/4809
Hello! Is it possible to raise this activity again?
At the moment, I have not found any free supported ECS-compatible solution for uploading sFlow events to Elasticsearch through Logstash.
Solutions like https://github.com/path-network/logstash-codec-sflow https://www.elastic.co/guide/en/logstash/5.2/plugins-codecs-sflow.html https://github.com/robcowart/elastiflow no longer supported and are poorly compatible with the current versions of Logstash.
The current version of Elastiflow is a closed commercial product with extremely limited functionality from the free version - https://www.elastiflow.com/subscriptions.
migrated from https://logstash.jira.com/browse/LOGSTASH-800