This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipfix.yaml file for UTM export of IPFIX flows to Logstash?

From /etc/logstash/conf.d/central.conf:

input {
   type => "ipfix"
  }
  tcp {
    port => 4739
    codec => netflow {
      versions => [10]
      target => ipfix
    }
    type => "ipfix"
  }

} # end of input

output {
   if [type] == "ipfix" {
    elasticsearch {
      index => "ipfix_logs-%{+YYYY.MM.dd}"
      hosts => ["localhost:9200"]
    }
  } else {
    elasticsearch {
      index => "sophos_utm-%{+YYYY.MM.dd}"
      hosts => ["localhost:9200"]
    }
  }
} #end of output


Unfortunately, I am getting warnings in my logstash log files:

[WARN ][logstash.codecs.netflow  ] No matching template for flow id 258
[WARN ][logstash.codecs.netflow  ] No matching template for flow id 256
[WARN ][logstash.codecs.netflow  ] No matching template for flow id 258
[WARN ][logstash.codecs.netflow  ] No matching template for flow id 256
[WARN ][logstash.codecs.netflow  ] No matching template for flow id 258

Which tells me I do not have a yaml template that is compatible for the information my UTM is sending out.  I have done some web searches, but unfortunately have not found a template yet (which seems odd - I can't be the only one who want to do this.)

Can anyone provide some guidance here before I possibly go ahead and try to recreate the wheel?

Thanks

-Karl



This thread was automatically locked due to age.
  • Hi Karl

    I have no luck getting this to work with Live Action.  Seems to be the same problem you are running into where the template is not matching up to what the monitoring software is looking for.  We see data come in but it's all messed up and cannot be correlated correctly.

     

    Joe

  • Hi,

     

    unfortunately I'm stuck here, too.

    I've been trying to get IPFIX/NetFlow Date to Logstash for a while now without nay luck.

    I have no way to integrate Sophos IPFIX Data into my logging which is frustrating.

     

    If anyone has any suggestions how to make this usable with logstash I'd highly appreciate any input.

     

    Thanks