Hi Guys,
Is anyone here able to successfully configured netflow on checkpoint with elasticssearch? Is there any such use case? If any one can you help me with logstash configuration?
If you are having problems, then sharing those will help us help you 
This is the config I use for my netflow.
input {
udp {
port => 9995
type => "netflow"
codec => netflow {
versions => [9]
}
}
}
filter {
mutate {
add_field => {
"[netflow][ipv4_dst_host]" => "%{[netflow][ipv4_dst_addr]}"
"[netflow][ipv4_src_host]" => "%{[netflow][ipv4_src_addr]}"
}
}
if ([netflow][l4_dst_port]) {
mutate {
add_field => {
"[netflow][l4_dst_port_translation]" => "%{[netflow][l4_dst_port]}"
}
}
}
translate {
dictionary_path => '/etc/logstash/port_translation.yaml'
field => "[netflow][l4_dst_port_translation]"
override => true
destination => "[netflow][l4_dst_port_translation]"
}
dns {
action => 'replace'
reverse => "[netflow][ipv4_dst_host]"
}
dns {
action => 'replace'
reverse => "[netflow][ipv4_src_host]"
}
}
output {
if [type] == "netflow" {
elasticsearch {
hosts => localhost
user => logstash_internal
password => logstash
index => "netflow-%{+YYYY.MM.dd}"
}
}
}Not pretty but it works. It also performs a reverse look up on IP's and matches port numbers to a dictionary file so on my dashboard I see HTTP/HTTP/DNS etc. instead of the port number.
@Sjaak Does this work with Check Point? Did you try that with Any Netflow or sFlow.
I've used that config for pfSense and Fortigate. It should work for every device that can export netflow data.
Cool...let me try that with my ELK statck and what about template?
The logstash netflow codec should generate that. If you look at the logs might see see some mismatched template errors but as far as I can tell that never really affected my data.
And what should be port_translation.yml file? under /etc/logstash
Well how about geo_point? I am unable to generate geo point using that logstash file and netflow-index.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.