Hi,
I'm trying to replace filebeat netflow module with elastic integration "netflow" that is deployed on a policy running on a few servers.
Flows are indexed properly, but there is no way to set the internal_networks parameter to allow the network direction field to be set.
In filebeat, we can set that as a config for netflow module, but as an integration in fleet there is no parameter called internal_networks.
I tried setting that parameter in the textbox called "Custom definitions", but that is not intended for that purpose and the agent failed starting.
How can we do this? Any docs?
Regards,
Hey @Andres_Altamirano - thanks for flagging this. We've just merged a PR to add the internal_networks parameter to the Netflow integration. You should see an update available (to v2.6) to the integration, which will expose the parameter.
opened 04:20PM - 21 Mar 23 UTC
closed 08:49AM - 22 Mar 23 UTC
enhancement
Team:Security-External Integrations
Integration:Netflow
Our Filebeat Netflow module includes an option called `internal_network` with th… e following description:
_A list of CIDR ranges describing the IP addresses that you consider internal. This is used in determining the values of source.locality, destination.locality, and flow.locality. The values can be either a CIDR value or one of the named ranges supported by the [network](https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network) condition. The default value is [private] which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal._
The Netflow integration does not include this option, which is preventing users from being able to set the network direction. Can we add this setting to the integration?
Relevant discuss issue: https://discuss.elastic.co/t/internal-networks-setting-for-netflow-integration/327586
system
April 19, 2023, 9:09am
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.