Hello friends,
We want to replace our old system for viewing Netflow (Nfsen) information with ELK. For this, we used the netflow module for Logstash. But we see fewer packets and bytes than it actually is.
For example:
In Nfsen - it is correct information:
| Dst IP Addr | Flows | Packets | Bytes |
|---|---|---|---|
| 172.26.0.2 | 335 | 34200 | 17.5 M |
| 172.27.227.135 | 283 | 358500 | 26.0 M |
| 172.27.227.131 | 204 | 33300 | 5.5 M |
Time window: 2020-06-22 08:59:07 - 2020-06-22 09:19:06
during the same time in ELK:
| netflow.dst_addr.keyword | flow | packets | bytes |
|---|---|---|---|
| 172.26.0.2 | 335 | 342 | 175,391 |
| 172.27.227.135 | 283 | 3,585 | 260,164 |
| 172.27.227.131 | 204 | 333 | 55,476 |
I do not understand why the number of packets and bytes is 100 times less.
ELK version - 7.3.2. Netflow codec v5, equipment - juniper mx80.