0

I have a very high volume Netflow input stream, and I was hoping that I could run multiple instances of Filebeat and load-balance the Netflow traffic over the Filebeat instances, and then write to a single remote Elasticsearch.

I've read about load-balancing to multiple outputs, but I'm looking for load-balancing from multiple inputs.

I can split the Netflow input over 2 physical ports, but I'm not sure how I can configure 2 instances of Filebeat to each be tied to a specific physical port.

Rayne
  • 211
  • 2
  • 14
  • In general : two start-up scripts for filebeat that each load a different and unique configuration file that configures each instance to listen to different ports i.e. with different `var.netflow_host` and `var.netflow_port` settings. Or is your problem more complicated? – HBruijn May 12 '23 at 07:20
  • I thought `var.netflow_port` refers to the UDP port of the netflow (IPFIX in my case) packets? I currently have filebeat listen to Port 4739, which is the dest port of the IPFIX packets. All of the packets would be sending to Port 4739. Is `var.netflow_host` the interface IP? If so, I might be able to configure the IPFIX packets to send to 2 different IP address, for each of the interfaces. I currently have it set to `0.0.0.0` as I only have one input. – Rayne May 12 '23 at 08:46

0 Answers0