This shows a POC for using TerminAttr on vEOS to stream data from vEOS SysDB to Kafka.

All of this is done using Docker containers.

Some sources:

Next Steps for this README.

  • These are rough notes - need to improve overall structure
  • Look at logstash ( see if it can export to OpenTSDB
  • Look at running OpenTSDB in a container
  • Look at running Grafana in a container and collecting from OpenTSDB
  • Get some graphs going in Grafana

First we need to start a Kafka container, for ease we are using a container built by Spotify that contains Kafka and Zookeeper in one image.

Run container:

docker pull spotify/kafka
docker run -d -p 2181:2181 -p 9092:9092 --hostname kafka --env ADVERTISED_HOST= --env ADVERTISED_PORT=9092 --name kafka spotify/kafka

Create Topic:

docker exec kafka /opt/kafka_2.11- --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic arista_test

List Topics:

docker exec kafka /opt/kafka_2.11- --list --zookeeper localhost:2181

In a new SSH window - start a producer

docker run -it --rm --link kafka spotify/kafka /opt/kafka_2.11- --broker-list --topic arista_test

In a new SSH window - start a consumer

docker run -it --rm --link kafka spotify/kafka /opt/kafka_2.11- --bootstrap-server --topic arista_test --from-beginning

Now send messages on the producer window with each message ending in a carridge return, these should appear in the consumer window

Second, we use vrnetlab to spin up a vEOS image. Here we are using 4.20.1F. Details on how to spin up vEOS are out of scope here but the modifications to the script and DockerFile are captured here.

Edit common/ to add the ability to listen to 6042 where gRPC is going to listen on the vEOS container:

Add/Alter these lines in the revelent places:

        res.append("user,id=p%(i)02d,net=,tftp=/tftpboot,hostfwd=tcp::2022-,hostfwd=udp::2161-,hostfwd=tcp::2830-,hostfwd=tcp::26042-" % { 'i': 0 })
        run_command(["socat", "TCP-LISTEN:6042,fork", "TCP:"], background=True)       

Edit veos/docker/Dockerfile and expose port 6042

EXPOSE 22 161/udp 830 5000 6042 10000-10099

Now, Once the vEOS container is up and running add the following config:

conf t

event-handler Terminattr
   trigger on-boot
   action bash /usr/bin/TerminAttr -grpcaddr -allowed_ips -disableaaa

The final part is to use ockafka to connect to gRPC on vEOS and forward to Kafka

You will need to know the IP address of the vEOS container:

docker inspect --format '{{.NetworkSettings.IPAddress}}' my-veos-router

Now pull down ockafka docker image and link to the kafka container from earlier. -addrs is the vEOS container IP -kafkatopic will be the topic name that was set earlier -subscribe doesn't need to be set but can if you only want a particular set of information

docker pull aristanetworks/ockafka
docker run --link kafka aristanetworks/ockafka -addrs -kafkaaddrs -kafkatopic arista_test -subscribe /Sysdb/

Once all up and running on the consumer terminal window you should start to see messages coming through:


Now on to ELK stack:

git clone
cd docker-elk
sudo docker-compose up

Test Elasticsearch

curl localhost:9200

You should see the following output:

 "name" : "W3NuLnv",
 "cluster_name" : "docker-cluster",
 "cluster_uuid" : "fauVIbHoSE2SlN_nDzxxdA",
 "version" : {
   "number" : "5.2.1",
   "build_hash" : "db0d481",
   "build_date" : "2017-02-09T22:05:32.386Z",
   "build_snapshot" : false,
   "lucene_version" : "6.4.1"
 "tagline" : "You Know, for Search"

Test Kibana:


Now edit the pipeline config file:

nano ./logstash/pipeline/logstash.conf
input {
  kafka {
    bootstrap_servers => ""
    topics => "arista_test"

filter {
  date {
    match => [ "timestamp", "UNIX_MS" ]
    remove_field => [ "timestamp" ]
  json {
    source => "message"
    remove_field => [ "message" ]
  geoip {
    source => "dataset"

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    index => "logstash-%{+YYYY.MM.dd}"

Restart logstash:

docker restart dockerelk_logstash_1

Now if everything is okay and talking indices should appear when browsing to:

health status index               uuid                   pri rep docs.count docs.deleted store.size
yellow open   logstash-2017.12.21 ux0H7pRfTi2BxzQmiB5FwQ   5   1      51654            0        7mb            7mb

You should be able to point Kibana at the incidies:

index pattern should match that of above - in this case "logstash-2017.12.21"