Glad to see this new initiative... and plan to ensure ElastiFlow supports it

I am the creator of ElastiFlow, the most popular solution for Network Flow analysis (Netflow, sFlow and IPFIX) based on the Elastic Stack. I have also created similar solutions for Suricata and Snort, and have a collection of other log solutions (Palo Alto, Check Point, Cisco, Juniper, and more) that I am also considering to make available on GitHub.

I am confident that many of my users would appreciate the additional security and alerting features of Open Distro for Elastisearch. If my testing goes well, I may make this the “recommended” distribution for my solutions.

1 Like

Hi @robcowart,

Thats great to hear! We encourage anyone to build on top of Open Distro for Elasticsearch. Let us know how we can help.


This is great news. We were just looking at ElastiFlow and were thinking of setting up a PoC but we need to have authentication and encryption available which open distro now supports out of the box.

hi @robcowart, any news about this? im trying to use the last version of opendistro with your latest elastiflow image but it fail to start !

have anyone got ElastiFlow to work with opendistro?

I gave it a try with in lab:
Ubuntu server 20.04
Open Distro:
java version 1.8.0_202
logstash 7.7.0
ElastiFlow v.3.5.0

I struggle to get the Logstash security stuff to work, It seems to be ok when disabling security in the Elasticsearch.yml.

@robcowart, have you done some research, does it work?

Hello robcovart,

I was running your Elastiflow 3.5.3 with Opensearch 1.3.4 very fine. After the update to Opensearch 2.1.0 and Elastiflow 4.0.1 I’ve connection problems with the error:

[ERROR][logstash.outputs.elasticsearch][elastiflow][0d11ab0ab489b7c44111172d0b02ee19798c0d48e24fd9c806add964e569c95b] Encountered a retryable error. Will Retry with exponential backoff {:code=>400, :url=>“https://opensearch:9200/_bulk”, :body=>“{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}”}

Do you have a hint how to make Elastiflow compatible with Opensearch 2.1.0? The parameter
compatibility.override_main_response_version: true
was set.

Regards, Fensterbrett

@fensterbrett as noted in the repo’s readme file, the legacy Logstash-based version of ElastiFlow has been deprecated and is no longer maintained. You should use the new ElastiFlow solution which completely replaces Logstash. Introduction | ElastiFlow