search

elastic / logstash

Logstash - transport and process your logs, events, or other data
https://www.elastic.co/products/logstash
Other
14.09k stars 3.48k forks source link

sFlow input #2524

Open jsvd opened 9 years ago

jsvd commented 9 years ago

migrated from https://logstash.jira.com/browse/LOGSTASH-800

breml commented 9 years ago

Maybe interesting https://github.com/NETWAYS/sflow

TheSeraph commented 9 years ago

Is there an ETA on when this will be implemented?

jordansissel commented 9 years ago

@TheSeraph I don't know if anyone is working on this, so there is no ETA.

TheSeraph commented 9 years ago

Bummer, it's hard to work around non native support of such a detailed data stream!

breml commented 9 years ago

We have sflow with logstash in semi production. We use the logstash pipe-input plugin with the official sflowtool (http://blog.sflow.com/2011/12/sflowtool.html).

This is working quite well.

Config:

input {
  pipe {
     type => "sflow"
     command => "/usr/bin/sflowtool_wrapper.sh -l -p 6343"
  }
}

The only gotcha is, the sflowtool doesn't get killed when logstash is terminated. This ist why we use the following wrapper-script.

#!/bin/bash
#
# Wrapper script for sflowtool when used in pipe input in logstash.
# This wrapper script ensures that the sflowtool is not running prior to start of the sflowtool.

ARGS="$@"
SFLOWTOOL_PID=$(/bin/ps -ef | /bin/grep "/usr/bin/sflowtool $ARGS" | /bin/grep -v "grep" | /bin/awk ' { print $2 } ')

if [ ! -z $SFLOWTOOL_PID ]; then
        kill -s 9 $SFLOWTOOL_PID
fi
/usr/bin/sflowtool "$@"
TheSeraph commented 9 years ago

Man, amazing! This does seem to work quite well for me at least. Now I just have to filter it into some useable patterns which will be another learning experience (I'm a bit of an ELK n00b)

On Wed, Mar 11, 2015 at 9:29 AM, Lucas Bremgartner <notifications@github.com

wrote:

We have sflow with logstash in semi production. We use the logstash pipe-input plugin with the official sflowtool ( http://blog.sflow.com/2011/12/sflowtool.html).

This is working quite well.

Config:

input { pipe { type => "sflow" command => "/usr/bin/sflowtool_wrapper.sh -l -p 6343" } }

The only gotcha is, the sflowtool doesn't get killed when logstash is terminated. This ist why we use the following wrapper-script.

!/bin/bash

#

Wrapper script for sflowtool when used in pipe input in logstash.

This wrapper script ensures that the sflowtool is not running prior to start of the sflowtool.

ARGS="$@" SFLOWTOOL_PID=$(/bin/ps -ef | /bin/grep "/usr/bin/sflowtool $ARGS" | /bin/grep -v "grep" | /bin/awk ' { print $2 } ')

if [ ! -z $SFLOWTOOL_PID ]; then kill -s 9 $SFLOWTOOL_PID fi /usr/bin/sflowtool "$@"

— Reply to this email directly or view it on GitHub https://github.com/elastic/logstash/issues/2524#issuecomment-78262371.

Thanks, Troy Cunningham 514 758.5595 Troy@Arkferos.com

loggola commented 9 years ago

I stated on a filter a while back … its a bit of a nightmare but here you go .. it does work to a point but probs not the best way to solve the use case.

http://pastebin.com/0zQ0bzdr

ashangit commented 8 years ago

Hi,

I am starting on working on an sflow codec for logstash. You can find it here: https://github.com/ashangit/logstash-codec-sflow (it is not available on rubygems so far). I have tested it with some sflow sample of type counters and flow send by an F5 loadbalancer and so far it seems to decrypt well those sflow records. It will be really great if some of you guys can test it and comment it.

wolstena commented 8 years ago

Hi,

Will the logstash plugin your working on support both CNTRs and FLOWs?

ashangit commented 8 years ago

Hi,

Yes, this codec already manage flow sample and counter flow.

For the flow sample it is able to decode Ethernet, IPv4, UDP and TCP header

For the counter flow it is able to decode some records of type:

FlorianHeigl commented 8 years ago

Would be good if there was one plugin instead of now, if i count correctly, 5 ... ;-)

untergeek commented 8 years ago

@ashangit if you'd be so kind as to submit a separate request to us to add this plugin, that's how the review process will get started. You could even still remain as a ]community maintainer](https://www.elastic.co/guide/en/logstash/current/community-maintainer.html) if you are so inclined.

ashangit commented 8 years ago

@untergeek here is the created issue for the migration of this plugin: https://github.com/elastic/logstash/issues/4809

ar-mi commented 2 years ago

Hello! Is it possible to raise this activity again?

At the moment, I have not found any free supported ECS-compatible solution for uploading sFlow events to Elasticsearch through Logstash.

Solutions like https://github.com/path-network/logstash-codec-sflow https://www.elastic.co/guide/en/logstash/5.2/plugins-codecs-sflow.html https://github.com/robcowart/elastiflow no longer supported and are poorly compatible with the current versions of Logstash.

The current version of Elastiflow is a closed commercial product with extremely limited functionality from the free version - https://www.elastiflow.com/subscriptions.