Just got introduced to Elastiflow a few days ago. Setup Elastic/Kibana, imported the Elastiflow Dashboards. Not seeing any data. I’m sure I hosed the flowcoll.yml file. Just using Community Edition for now.
Doublechecked my switch’s flow monitor config. Sending everything to 172.18.25.198 udp 9995
EF_LICENSE_ACCEPTED: “true”
EF_FLOW_SERVER_UDP_IP: 0.0.0.0
EF_FLOW_SERVER_UDP_PORT: 9995
EF_PROCESSOR_DECODE_IPFIX_ENABLE: “true”
EF_PROCESSOR_DECODE_SFLOW5_ENABLE: “true”
EF_OUTPUT_ELASTICSEARCH_ADDRESSES: 127.0.0.1:9200
EF_OUTPUT_ELASTICSEARCH_ALLOWED_RECORD_TYPES: as_path_hop,flow_option,flow,ifa_hop,telemetry,metric,log
EF_OUTPUT_ELASTICSEARCH_ECS_ENABLE: “true”
EF_OUTPUT_ELASTICSEARCH_ENABLE: “true”
EF_OUTPUT_ELASTICSEARCH_INDEX_PERIOD: ‘rollover’
EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REPLICAS: 0
EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_SHARDS: 1
EF_OUTPUT_ELASTICSEARCH_PASSWORD: MyPassword
EF_OUTPUT_ELASTICSEARCH_TIMESTAMP_SOURCE: “start”
EF_OUTPUT_ELASTICSEARCH_TLS_CA_CERT_FILEPATH: “”
EF_OUTPUT_ELASTICSEARCH_TLS_ENABLE: “false”
EF_OUTPUT_ELASTICSEARCH_TLS_SKIP_VERIFICATION: “false”
EF_OUTPUT_ELASTICSEARCH_USERNAME: elastic
check the logs at /var/log/elastiflow/flowcoll/flowcoll.log to make sure it is receiving/processing flow records. If so, what version of the dashboards did you import? You have ECS enabled so if you imported the CODEX dashboards you may not see data.
If you don’t see any record processing in the logs, then use tcpdump to check that packets are arriving.
Let us know how it goes!
Dexter
Can’t get the service to load anymore.
Yes, I enabled ECS
I’m definitely seeing the sflow on port 2055, but I’m not seeing the IPFIX traffic going to 9995. Need to doublecheck what’s happening there.
How do I tell what the version of the dashboards is?
$ sudo more /var/log/elastiflow/flowcoll/flowcoll.log
{“level”:“info”,“ts”:“2025-01-25T15:31:49.155Z”,“logger”:“flowcoll”,“caller”:“flowcoll/main.go:58”,“msg”:“version”,“version”:“7.5.3”}
{“level”:“info”,“ts”:“2025-01-25T15:31:49.176Z”,“logger”:“flowcoll.license[default]”,“caller”:“envconf/logger.go:49”,“msg”:“EF_ACCOUNT_ID=”}
{“level”:“info”,“ts”:“2025-01-25T15:31:49.176Z”,“logger”:“flowcoll.license[default]”,“caller”:“envconf/logger.go:49”,“msg”:“EF_FLOW_LICENSE_KEY=”}
{“level”:“info”,“ts”:“2025-01-25T15:31:49.176Z”,“logger”:“flowcoll.license[default]”,“caller”:“envconf/logger.go:49”,“msg”:“EF_FLOW_LICENSED_CORES=0”}
{“level”:“info”,“ts”:“2025-01-25T15:31:49.176Z”,“logger”:“flowcoll.license[default]”,“caller”:“envconf/logger.go:49”,“msg”:“EF_FLOW_LICENSED_UNITS=0”}
{“level”:“info”,“ts”:"2025-01-
journalctl -xe -u flowcoll
Jan 28 03:44:23 ubuntu-20 systemd[1]: flowcoll.service: Failed with result ‘exit-code’.
– Subject: Unit failed
– Defined-By: systemd
– Support:
– The unit flowcoll.service has entered the ‘failed’ state with result ‘exit-code’.
Jan 28 03:44:23 ubuntu-20 systemd[1]: flowcoll.service: Scheduled restart job, restart counter is at 5.
– Subject: Automatic restarting of a unit has been scheduled
– Defined-By: systemd
– Support:
– Automatic restarting of the unit flowcoll.service has been scheduled, as the result for
– the configured Restart= setting for the unit.
Jan 28 03:44:23 ubuntu-20 systemd[1]: Stopped ElastiFlow Unified Collector.
– Subject: A stop job for unit flowcoll.service has finished
– Defined-By: systemd
– Support:
– A stop job for unit flowcoll.service has finished.
And now I’m seeing flows! Had to modify my flowcoll.yml a bit.
1 Like
