Looking for advice on a use case for NetFlow

Hello everyone from the elastic community! This will be my first topic here. Hoping to get some insights from everyone.

I am very new to elastic. I was able to install and run elk stack on docker, thanks to the official documentation and a few tutorials I found online.

My goal was to get netflow data from a router that we currently have. Tried to use filebeat with netflow module but wasn't able to make it work. Couldn't get any data. Tried fleet/agent netflow record integration and after a few tutorials from here and there, I was able to get Netflow data.

So my question is:
I am currently getting data at 'Source Autonomous Systems'. Please refer to photo below for the sample output.

In the graph at the y-axis, is this referring to the size (in Bytes) of the logs instead of the amount of traffic at the interface?

What I'm trying to achieve here is to get the amount of traffic on the configured interface and if its possible, the amount of traffic per AS also. I'm not sure if I'm using NetFlow Records correctly, or if my assumptions about NetFlow are wrong. Or do I need additional configurations to achieve the said goal?

Best regards

This graph should be showing the sum of bytes from the flows received.

It may be helpful to use discover to look at the raw flows to get a better idea what fields are available to visualize.

There's actually not a really straightforward way to graph the size of documents in an index so graphs like this will be related to the size as reported in the flows

Thank you for the feedback.

Not sure if I have solved my problem. I tried to adjust the NetFlow sampling on the configured router and the values on the graph started to increase.

I now have a feeling that there's really nothing wrong with the NetFlow module on ES.

If your router is sampling netflow, that means that it's only sending a percentage of the total possible net flow records to elastic.

Sampling is useful to understand trends and common traffic patterns but it's not a good way to understand utilization of a link.

To understand utilization of a link you will want to either extrapolate based on the sampling percentage (say by using a lens formula, if your router Is sending 1% of total net flow records then you would multiply the sum of the packet size by 100) or turn off sampling and have the router send 100% of netflow records to elastic.

Extrapolating based on samples generates less netflow traffic from the device but would result in at best an approximation. Sending all netflow traffic may be a large amount of netflow events, but would give you a more accurate picture of your link utilization over time.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.