I am the creator of ElastiFlow, the most popular solution for Network Flow analysis (Netflow, sFlow and IPFIX) based on the Elastic Stack. I have also created similar solutions for Suricata and Snort, and have a collection of other log solutions (Palo Alto, Check Point, Cisco, Juniper, and more) that I am also considering to make available on GitHub.
I am confident that many of my users would appreciate the additional security and alerting features of Open Distro for Elastisearch. If my testing goes well, I may make this the “recommended” distribution for my solutions.
This is great news. We were just looking at ElastiFlow and were thinking of setting up a PoC but we need to have authentication and encryption available which open distro now supports out of the box.
I was running your Elastiflow 3.5.3 with Opensearch 1.3.4 very fine. After the update to Opensearch 2.1.0 and Elastiflow 4.0.1 I’ve connection problems with the error:
[ERROR][logstash.outputs.elasticsearch][elastiflow][0d11ab0ab489b7c44111172d0b02ee19798c0d48e24fd9c806add964e569c95b] Encountered a retryable error. Will Retry with exponential backoff {:code=>400, :url=>“https://opensearch:9200/_bulk”, :body=>“{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}”}
Do you have a hint how to make Elastiflow compatible with Opensearch 2.1.0? The parameter
compatibility.override_main_response_version: true
was set.
@fensterbrett as noted in the repo’s readme file, the legacy Logstash-based version of ElastiFlow has been deprecated and is no longer maintained. You should use the new ElastiFlow solution which completely replaces Logstash. Introduction | ElastiFlow