Hi,
I started to learn more about neflow in my home lab but soon realized the Filebeat Netflow module is a bit too simple.
The short question: is there an easy way to enrich netflow data from filebeat?
I think they can be divided into 2 groups:
-
Static:
There is a filed called "netflow.protocol_identifier", it is just a number hard to read for a human and looks bad during a filter or a riport. Is it possible to "translate" the fields to a common nem like : TCP, UDP instead of 6, 17. -
Dynamic:
Based on the vendor you can assign APP ID (netflow.application_id), Interface ID (netflow.ingress_interface, netflow.egress_interface), VRF ID (netflow.egress_vrfid) and so on.
It would be better to see a friendly name of the app instead of an ID and try to manually decrypt it.
There are other fields listed here that an be changed and belong to the 1. or 2. group:
I found a community project called elastiflow that meets the above requirements:
"Support for Option Templates - Dynamic enrichment of network interface name and application names and more!"
"Fully decodes and translates all available data - DSCP, TCP Options, ECN, Fragmentation Flags, and more."
Is there a similar easy way to do that using the officially supported Filebeat module or do I have to rely on a community project?
And a bonus question:
I can configure address ranges at: var.internal_networks and it determinates the values of source.locality , destination.locality , and flow.locality.
Is there an easy way to create custom groups?
For example: DMZ, Server, Office, Internet, Frontend, Backend...?