Setting up netflow ingestion - error

[dstetler-ecs]

Receiving the following error after following the video to enable netflow ingestion on my security onion appliance (standard installation). Ran the below command:

docker exec -i so-filebeat filebeat setup modules -pipelines -modules netflow -c /usr/share/filebeat/module-setup.yml

received this message:
Exiting: module netflow is configured but has no enabled filesets

ran thru the video again to verify all settings and all appear correct

New to security onion so any help would be appreciated

[weslambert]

The netflow module should already be configured for the latest version of Security Onion.

If you must manually enable a fileset, you can do so with the following:

docker exec -it so-filebeat filebeat module setup --pipelines --modules netflow -M "netflow.log.enabled=true" -C /usr/share/filebeat/module-setup.yaml or add the configuration to the pillar:

third_party_filebeat:
  modules:
    netflow:
      log:
        enabled: true

...then run salt-call state.apply common and run so-filebeat-module-setup.

[dstetler-ecs]

thank you! I was able to enable the fileset

[kingtriumph]

I've been trying to get the netflow module to work for filebeat and I've tried the above command string to manually enable the fileset. It just returns syntax errors. I copied and pasted the command and verified it is exactly the same as written in the accepted answer. First it tells me that "module" is an unknown command for "filebeat". If I change the command to "modules", then it rejects --pipelines as an unknown flag. Has this changed in the last few months for some reason?

[cerskus]

sudo docker exec -it so-filebeat filebeat setup modules --pipelines --modules netflow -M "netflow.log.enabled=true" -c /usr/share/filebeat/module-setup.yml