Security Onion 2.4.211, Elastic Agent/Filebeat 9.0.8, NetFlow package 2.23.1.

[talonius1]

Version

2.4.211

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

18

RAM

36GB

Storage for /

300GB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Title

Security Onion 2.4.211 NetFlow integration listens on UDP but agentbeat publishes zero events

Summary

I am trying to ingest NetFlow from OPNsense into Security Onion using the documented NetFlow Records integration. The Elastic Agent NetFlow input appears to deploy correctly and binds to UDP/2055, but agentbeat never publishes any events. I have confirmed that packets arrive at Security Onion, including NetFlow v9 templates and data flowsets. I also tested NetFlow v5 to remove v9 template dependency, with the same result.

I am trying to determine whether this is a known issue, a misconfiguration on my part, or something specific to Security Onion 2.4.211 / Elastic Agent 9.0.8.

Environment

Security Onion version:

2.4.211

Deployment:

On-prem lab deployment
Single Security Onion node
Security Onion installed from ISO
Internet-connected, not airgapped

Node role/configuration:

Single manager/sensor-style node
Security Onion management IP: 192.168.10.40
OPNsense exporter IP: 192.168.10.1
NetFlow destination: 192.168.10.40:2055/udp
Temporary test destination also tried: 192.168.10.40:2056/udp

Elastic / integration versions observed:

Elastic Agent/Filebeat: 9.0.8
NetFlow package: 2.23.1

Configuration

I added the NetFlow Records integration to the so-grid-nodes_general policy. elastic-agent inspect shows the NetFlow input present:

id: netflow-netflow-4f8edd5e-667f-455a-b9a8-2711fb5cef7b
meta:
  package:
    name: netflow
    version: 2.23.1
name: netflow-1
streams:
- data_stream:
    dataset: netflow.log
    type: logs
  detect_sequence_reset: true
  expiration_timeout: 30m
  host: 0.0.0.0:2055
  internal_networks:
  - 192.168.0.0/16
  max_message_size: 10KiB
  protocols:
  - v1
  - v5
  - v6
  - v7
  - v8
  - v9
  - ipfix
  queue_size: 8192
  tags:
  - netflow
  - forwarded
  workers: 1
type: netflow
use_output: so-manager_logstash

The output is configured for Logstash:

outputs:
  so-manager_logstash:
    hosts:
    - 192.168.10.40:5055
    - securityonion:5055
    type: logstash

Listener confirmation

agentbeat is listening on UDP/2055:

UNCONN 0      0                  *:2055            *:*    users:(("agentbeat",pid=1168298,fd=13))

I also added a temporary second NetFlow input on UDP/2056. It was owned by the same agentbeat process:

UNCONN 0      0                  *:2055            *:*    users:(("agentbeat",pid=1168298,fd=13))
UNCONN 0      0                  *:2056            *:*    users:(("agentbeat",pid=1168298,fd=8))

Packet arrival confirmation

Security Onion receives NetFlow packets from OPNsense with no kernel drops:

192.168.10.1.21984 > 192.168.10.40.2055: [udp sum ok] UDP, length 1392

Example capture:

103 packets captured
103 packets received by filter
0 packets dropped by kernel

Temporary 2056 test with NetFlow v5 also showed packets arriving:

101 packets captured
101 packets received by filter
0 packets dropped by kernel

Socket counters showed no backlog and no drops:

UNCONN 0      0                        *:2055            *:*    users:(("agentbeat",pid=1168298,fd=13))
         skmem:(r0,rb212992,t0,tb26214400,f0,w0,o0,bl0,d0)

NetFlow v9 template confirmation

I parsed the pcap to verify whether OPNsense was sending only data flowsets or also templates. The capture confirmed NetFlow v9 and showed template FlowSet ID 0 present:

File: /tmp/opnsense-netflow-good-sequence.pcap
NetFlow versions seen: {9: 144}
NetFlow v9 packets: 144
FlowSet IDs seen: [(256, 144), (0, 2)]
Template packets, FlowSet ID 0: 2
Options template FlowSet ID 1: 0

The template details show that template ID 256 exists:

packet 89: template flowset length=172
  template_id=256 field_count=20
    field 1: type=8 len=4
    field 2: type=12 len=4
    field 3: type=15 len=4
    field 4: type=10 len=2
    field 5: type=14 len=2
    field 6: type=2 len=4
    field 7: type=1 len=4
    field 8: type=24 len=4
    field 9: type=23 len=4
    field 10: type=22 len=4
    field 11: type=21 len=4
    field 12: type=7 len=2
    field 13: type=11 len=2
    field 14: type=6 len=1
    field 15: type=4 len=1
    field 16: type=5 len=1
    field 17: type=16 len=4
    field 18: type=17 len=4
    field 19: type=9 len=1
    field 20: type=13 len=1

The packet order showed templates arrived before later data flowsets:

packet=89 flowsets=[0, 256]
packet=90 flowsets=[0, 256]
packet=136 flowsets=[256]
packet=137 flowsets=[256]
packet=138 flowsets=[256]
packet=139 flowsets=[256]
packet=140 flowsets=[256]
packet=141 flowsets=[256]
packet=142 flowsets=[256]
packet=143 flowsets=[256]
packet=144 flowsets=[256]

NetFlow v5 control test

I also tested NetFlow v5 to avoid template dependency. Packets arrived on UDP/2056, but agentbeat still published zero events.

The packet capture showed v5-like payloads:

first 00 05 offset: 55

The 2056 listener was active during the test:

UNCONN 0      0                  *:2056            *:*    users:(("agentbeat",pid=1168298,fd=8))

The capture showed:

101 packets captured
101 packets received by filter
0 packets dropped by kernel

agentbeat stats

Despite packets arriving and the NetFlow input listening, agentbeat stats remain at zero events:

"pipeline": {
  "clients": 2,
  "events": {
    "active": 0,
    "dropped": 0,
    "failed": 0,
    "filtered": 0,
    "published": 0,
    "retry": 0,
    "total": 0
  }
}

Output event counters are also zero:

"events": {
  "acked": 0,
  "active": 0,
  "batches": 0,
  "dead_letter": 0,
  "dropped": 0,
  "duplicates": 0,
  "failed": 0,
  "toomany": 0,
  "total": 0
}

The temporary 2056 NetFlow input behaved the same way. After OPNsense sent NetFlow v5 packets to UDP/2056, the same agentbeat process showed two clients but still zero events:

"pipeline": {
  "clients": 2,
  "events": {
    "active": 0,
    "dropped": 0,
    "failed": 0,
    "filtered": 0,
    "published": 0,
    "retry": 0,
    "total": 0
  }
}

Elasticsearch checks

No NetFlow indices are created:

sudo so-elasticsearch-query '_cat/indices/*netflow*?v'

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size dataset.size

A broad search also returns zero hits:

sudo so-elasticsearch-query '*/_search' -d @/tmp/netflow-search.json

{"hits":{"total":{"value":0,"relation":"eq"},"hits":[]}}

Logstash

I checked Logstash logs for obvious NetFlow/Filebeat/pipeline failures and did not see related errors:

sudo docker logs so-logstash --since 30m 2>&1 | grep -Ei 'netflow|2055|beats|filebeat|agent|pipeline|error|failed|reject|drop|parse|exception'

No relevant output was returned.

Question

Is this a known issue with the NetFlow Records integration in Security Onion 2.4.211 / Elastic Agent 9.0.8?

Based on the tests above, OPNsense appears to be exporting successfully and Security Onion is receiving the packets. The NetFlow input binds to the socket, but agentbeat never appears to convert received packets into pipeline events.

Is there another Security Onion-specific setting required beyond adding the NetFlow Records integration and allowing the exporter through the Security Onion firewall?

I found a few related discussions, especially #11487 and #11871, but they did not appear to match this exact symptom. In my case, I verified not only packet arrival but also v9 template presence and v5 behavior, while agentbeat still reports pipeline.events.total=0.

Related discussions checked

I found these related discussions, but they do not appear to resolve this specific behavior:

• Elasticagent integration netflow #11487 Elasticagent integration netflow
• pfSense/Netflow Not Working? #11871 pfSense/Netflow Not Working?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[talonius1]

Resolved. Firewall issue.
The NetFlow integration was working. OPNsense was exporting valid NetFlow. The Security Onion Fleet-managed agentbeat input was capable of decoding and indexing the packets. What was missing was allowing the OPNsense exporter through Security Onion’s host firewall on UDP/2055. Doing this from the SOC GUI did not work, had to use the command line.

This was confusing because tcpdump seeing UDP/2055 on the interface was not enough. The packet still had to pass the Security Onion host firewall before agentbeat could receive it.

Live and learn.