casboards.blogg.se - Netflow monitor

Source="netflow"| where "netflow.l4_dst_port" != "0"| stats count("netflow.l4_dst_port") by "netflow.l4_dst_port" | sort count("netflow.l4_dst_port") desc | head Flows by Destination Port Over Time Source="netflow" sourcetype="netflow"| bucket _time span=1m | stats sum("netflow.out_bytes") as "Out Bytes" by Flows by Destination Port Source="netflow" sourcetype="netflow"| bucket _time span=1m | stats sum("netflow.in_bytes") as "In Bytes" by Bytes Source="netflow" | iplocation netflow.ipv4_dst_addr | geostats count(Country) latfield=lat Bytes Official Documentation: Installing Logstash Check Java Version: This deployment assumes both reside on the same server. This is not a requirement, but if Logstash and Splunk are residing in separate servers on separate networks, Logstash must be able to communicate to UDP Port 555 on the Splunk server. Outbound Firewall Rule: Corp Network > UDP 777 > Ubuntu Server.Non-US Traffic Flows, Source and Destination Logstash was simple enought to setup in a separate container, and specifically for this project all I needed was a UDP input, then to decode the data (Netflow codec), then forward the decoded data over to Splunk for Analysis. In a production environment, I would recommend a dedicated server for Splunk depending on how much data you're ingesting, and definitely not in a Docker container or you'll see some pretty big performance impact. I didn't spend much time looking into the issue, but I'm guessing the Netflow binaries need some low level hook access to the OS which might not be available in a Docker container. Unfortunately, the add-on doesn't work, or doesn't work well (from my testing) in a Docker container, which for my purposes Docker seemed to do the job well.

More documentation on how to configure the add-on and the binaries to collect Netflow data is available here. Splunk has a built-in Netflow collector that can be easily configured using the built-in scripts available as part of the Splunk Add-on for Netflow.

Why not use Splunk's built in Netflow collector instead of Logstash?

Splunk ingests the packets and displays the visualizations/alerts/etc.

Logstash sends the decoded Netflow packets to Splunk over UDP Port 555.

Logstash receives the data on UDP Port 777, decodes the Netflow packets.

The Netflow agent (Firewall) sends data to Logstash on UDP Port 777.

Splunk - Version 6.4.3 was used for this project.

Logstash - Version 6.3 was used for this project.

Your Netflow log source (i.e.: Firewall/Network Gateway) - Cisco Meraki was used during this project.

The dashboard allows administrators and security professionals to capture network traffic data, and analyze flows to determine possible bottlenecks and/or security incidents across the corporate network. This project contains all the components and documentation necessary to start collecting and visualizing Netflow data using Splunk.