Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Source field becomes incorrect when ingesting netflow data to graylog docker container #709

Open
sjwk opened this issue Jan 22, 2021 · 2 comments
Open

Source field becomes incorrect when ingesting netflow data to graylog docker container #709

sjwk opened this issue Jan 22, 2021 · 2 comments
Labels
bug triaged

Comments

@sjwk
Copy link

sjwk commented Jan 22, 2021

Expected Behavior

Source field should be correct and show the IP of the Netflow source

Current Behavior

TLDR: In graylog container, something triggers the netflow input to switch from storing the correct source field to storing the internal gateway IP for the docker network the container is in.

I'm running graylog, elasticsearch and mongo as containers from a docker-compose file more or less the same as that given in the documentation.
I have a Netflow input set up, override_source is not set. Into that I am feeding Netflow v9 records from two different systems, running different netflow probe software (a Linux box running netprobe and a BSD box running softflowd). All is well, and the data is correct. At some point, something happens, and the source field in the data changes from the IP of the netflow probe machine to the IP of the internal gateway of the docker network. This happens to data from both netflow probe machines.

I believe from a small amount of testing that the 'something' that triggers it is the restart of the docker container, whether by the host updating docker or stopping/starting the container. That certainly seemed to cause it to start to use the docker host's IP as the source rather than the actual IPs but there may be other triggers.
Once in that state, restarting the probe software on the remote boxes seems to be the only way to get it to start logging the correct source field again.

The issue does seem to be specific to the Netflow module, other inputs (beats, syslog) are working fine. I can't currently test whether there's any way to trigger the same issue on a non-container version.

Context

It's problematic if I want to search based on which box sent netflow data, or to apply pipeline rules to normalize the data coming from the two sources if I relied on that obvious field to tell the sources apart.

Your Environment

  • Graylog Version: Graylog 4.0.1+6a0cc0b (docker container tag graylog/graylog:4.0)
  • Java Version: 1.8.0_275
  • Elasticsearch Version: 7.10.1 (docker container tag elasticsearch-oss:7.10.1)
  • MongoDB Version: 3 (docker container tag mongo:3)
  • Operating System: Ubuntu 18.04
  • Browser version:
  • Docker version: 20.10.2
@bernd bernd transferred this issue from Graylog2/graylog2-server Jan 25, 2021
@mfz0r
Copy link

mfz0r commented Apr 13, 2021

Any update on this? Can confirm this exact issue is happening in my environment

@sjwk
Copy link
Author

sjwk commented Jun 30, 2021

Is there any further information I can provide to try and come up with a fix?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bernd @sjwk @mfz0r