installed elasticsearch 7.3.2 for storing logs
and installed logstash 7.3.2 for both shipping as well as processing.
and installed kibana for visualization tool
all these three components installed on same machine and enabled netflow module to capture the flow logs from routers and switches to analyze the bandwidth and trafffic flow,
i am able to get successfully all the traffic, except the interface information , like which interface that packet is captured example Gi0/0 or E1/1 or serial or either interface description of the interface atleast,
Added below entries in “/etc/logstash/logstash.yml” ( to enable netflow module on ELK server)
modules:
- name: netflow
var.input.udp.port: 9995
var.elasticsearch.hosts: http://127.0.0.1:9200
var.elasticsearch.ssl.enabled: false
var.kibana.host: 127.0.0.1:5601
var.kibana.scheme: http
var.kibana.ssl.enabled: false
var.kibana.ssl.verification_mode: disable
to start the netflow module,
./bin/logstash --path.settings /etc/logstash --modules netflow –setup &
configuration enabled on router/switch
flow exporter FLOW_ESLOKB
destination xx.xx.xx.xx
source GigabitEthernet0/0
transport udp 9995
export-protocol netflow-v5
flow monitor FLOW_MON
exporter FLOW_ESLOKB
cache timeout active 60
record netflow-original
!
interface Gi0/0
ip flow monitor FLOW_MON input
ip flow monitor FLOW_MON output
`````
Regards,
Elaya Raja