Closed nagmar closed 7 years ago
philhagen
commented
7 years ago The number of flow records is reported in the NetFlow v5 and v9 packet headers, not the flow record fields themselves. This is passed by the Logstash NetFlow input codec to the subsequent processing pipeline, where we store that value in the record.
nagmar
commented
7 years ago firtly thank for your answer i try to update logsatsh , elastic and kibana in 5.0 with your configuration i have not same you (all fields) , i use the netflow codec in input, same logstash configuration I do not understand what I could forget
when i configure my netflow_v5 and start a capture wireshark i don't see this field
philhagen
commented
7 years ago You should definitely not update to version 5.0 - our configurations have not been ported to the new versions.
If you find that exporting NetFlow v5 to the open port on the VM does not work, please let us know. This is what's supported at this time. The "flow records" field is part of the overall export header. See http://netflow.caligare.com/netflow_v5.htm - the "count" field.
nagmar
commented
7 years ago ok thank you, you have plan an update ?
hey , i don't understand this https://github.com/philhagen/sof-elk/blob/master/configfiles/2050-netflow_v5.conf
more exactly :
if [type] == "netflow" {
rename fields to remove the [nf] superfield, to better allow ES dynamic mappings, and to enforce field naming hygiene
we can see different field for exemple : "[nf][flow_records]" => "flow_records"
but when i see differents field in netflow_v9 : http://netflow.caligare.com/netflow_v9.htm or v5 i don't see flow_records , he doesn't exist