fascinated with tofu
Home Archives IT Music
Home Archives IT Music

Visualizing Netflow version 9 on ELK

IT

Kibana Dashboard Sample - DstIP Count

prerequirement

router setting

1
2
3
4
5
sho ver
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 30-Jan-14 02:12 by prod_rel_team
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
flow record ELK-r
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect routing forwarding-status
 collect routing next-hop address ipv4
 collect ipv4 dscp
 collect ipv4 ttl minimum
 collect ipv4 ttl maximum
 collect transport tcp flags
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
 collect timestamp absolute first
 collect timestamp absolute last

flow exporter ELK-e
 destination *collectorIpAddr*
 transport udp 9996
 template data timeout 15
 option interface-table timeout 15
 option exporter-stats timeout 15
 option application-table timeout 15
 option application-attributes timeout 15

flow monitor ELK-m
 exporter ELK-e
 cache timeout active 60
 record EFK-r

Interface *hoge*
 ip flow monitor EFK-m input
 ip flow monitor EFK-m output

start logstash service

/opt/logstash/bin/logstash -f /etc/logstash/conf.d/1-netflow.conf & 

If collector correctly begin to receive netflow, console looks like:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{
    "@timestamp" => "2015-08-24T10:04:08.000Z",
       "netflow" => {
               "version" => 9,
          "flow_seq_num" => 23504,
            "flowset_id" => 260,
         "ipv4_src_addr" => "0.0.0.0",
         "ipv4_dst_addr" => "255.255.255.255",
            "input_snmp" => 16,
           "l4_src_port" => 49460,
           "l4_dst_port" => 10067,
               "src_tos" => 0,
              "protocol" => 17,
             "tcp_flags" => 0,
               "min_ttl" => 254,
               "max_ttl" => 254,
         "ipv4_next_hop" => "0.0.0.0",
              "in_bytes" => 134,
               "in_pkts" => 1,
        "first_switched" => "2015-08-24T10:03:53.999Z",
         "last_switched" => "2015-08-24T10:03:53.999Z",
           "output_snmp" => 0
    },
      "@version" => "1",
          "host" => "10.71.146.222"
}

If you see error messages like:

1
2
No matching template for flow id 260 {:level=>:warn}
Unsupported field {:type=>152, :length=>8, :level=>:warn}

You could define length or skip them.

vi /etc/logstash/codec/v9.yaml 

1
2
260:
- :skip

original netflow codec - Github