Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sFlow input #2524

Open
jsvd opened this issue Feb 6, 2015 · 14 comments
Open

sFlow input #2524

jsvd opened this issue Feb 6, 2015 · 14 comments
Labels
new plugin

Comments

@jsvd
Copy link
Member

jsvd commented Feb 6, 2015

migrated from https://logstash.jira.com/browse/LOGSTASH-800
@breml
Copy link
Contributor

breml commented Feb 24, 2015

Maybe interesting https://github.com/NETWAYS/sflow

@TheSeraph
Copy link

Is there an ETA on when this will be implemented?

@jordansissel
Copy link
Contributor

@TheSeraph I don't know if anyone is working on this, so there is no ETA.

@TheSeraph
Copy link

Bummer, it's hard to work around non native support of such a detailed data stream!

@breml
Copy link
Contributor

breml commented Mar 11, 2015

We have sflow with logstash in semi production. We use the logstash pipe-input plugin with the official sflowtool (http://blog.sflow.com/2011/12/sflowtool.html).

This is working quite well.

Config:

input {
  pipe {
     type => "sflow"
     command => "/usr/bin/sflowtool_wrapper.sh -l -p 6343"
  }
}

The only gotcha is, the sflowtool doesn't get killed when logstash is terminated. This ist why we use the following wrapper-script.

#!/bin/bash
#
# Wrapper script for sflowtool when used in pipe input in logstash.
# This wrapper script ensures that the sflowtool is not running prior to start of the sflowtool.

ARGS="$@"
SFLOWTOOL_PID=$(/bin/ps -ef | /bin/grep "/usr/bin/sflowtool $ARGS" | /bin/grep -v "grep" | /bin/awk ' { print $2 } ')

if [ ! -z $SFLOWTOOL_PID ]; then
        kill -s 9 $SFLOWTOOL_PID
fi
/usr/bin/sflowtool "$@"

@TheSeraph
Copy link

Man, amazing! This does seem to work quite well for me at least. Now I just
have to filter it into some useable patterns which will be another learning
experience (I'm a bit of an ELK n00b)

On Wed, Mar 11, 2015 at 9:29 AM, Lucas Bremgartner <notifications@github.com

wrote:

We have sflow with logstash in semi production. We use the logstash
pipe-input plugin with the official sflowtool (
http://blog.sflow.com/2011/12/sflowtool.html).

This is working quite well.

Config:

input {
pipe {
type => "sflow"
command => "/usr/bin/sflowtool_wrapper.sh -l -p 6343"
}
}

The only gotcha is, the sflowtool doesn't get killed when logstash is
terminated. This ist why we use the following wrapper-script.

#!/bin/bash

Wrapper script for sflowtool when used in pipe input in logstash.

This wrapper script ensures that the sflowtool is not running prior to start of the sflowtool.

ARGS="$@"
SFLOWTOOL_PID=$(/bin/ps -ef | /bin/grep "/usr/bin/sflowtool $ARGS" | /bin/grep -v "grep" | /bin/awk ' { print $2 } ')

if [ ! -z $SFLOWTOOL_PID ]; then
kill -s 9 $SFLOWTOOL_PID
fi
/usr/bin/sflowtool "$@"


Reply to this email directly or view it on GitHub
#2524 (comment).

Thanks,
Troy Cunningham
514 758.5595
Troy@Arkferos.com

@loggola
Copy link

loggola commented Jun 5, 2015

I stated on a filter a while back … its a bit of a nightmare but here you go .. it does work to a point but probs not the best way to solve the use case.

http://pastebin.com/0zQ0bzdr

@ashangit
Copy link

ashangit commented Dec 7, 2015

Hi,

I am starting on working on an sflow codec for logstash.
You can find it here: https://github.com/ashangit/logstash-codec-sflow (it is not available on rubygems so far).
I have tested it with some sflow sample of type counters and flow send by an F5 loadbalancer and so far it seems to decrypt well those sflow records.
It will be really great if some of you guys can test it and comment it.

@wolstena
Copy link

Hi,

Will the logstash plugin your working on support both CNTRs and FLOWs?

@ashangit
Copy link

Hi,

Yes, this codec already manage flow sample and counter flow.

For the flow sample it is able to decode Ethernet, IPv4, UDP and TCP header

For the counter flow it is able to decode some records of type:

  • Generic Interface
  • Ethernet Interface
  • VLAN
  • Processor Information
  • HTTP

@FlorianHeigl
Copy link

Would be good if there was one plugin instead of now, if i count correctly, 5 ... ;-)

@untergeek
Copy link
Member

@ashangit if you'd be so kind as to submit a separate request to us to add this plugin, that's how the review process will get started. You could even still remain as a ]community maintainer](https://www.elastic.co/guide/en/logstash/current/community-maintainer.html) if you are so inclined.

@ashangit
Copy link

@untergeek here is the created issue for the migration of this plugin: #4809

@ar-mi
Copy link

ar-mi commented Sep 15, 2021
edited

Hello! Is it possible to raise this activity again?

At the moment, I have not found any free supported ECS-compatible solution for uploading sFlow events to Elasticsearch through Logstash.

Solutions like
https://github.com/path-network/logstash-codec-sflow
https://www.elastic.co/guide/en/logstash/5.2/plugins-codecs-sflow.html
https://github.com/robcowart/elastiflow
no longer supported and are poorly compatible with the current versions of Logstash.

The current version of Elastiflow is a closed commercial product with extremely limited functionality from the free version - https://www.elastiflow.com/subscriptions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests