good morning all. I am very new to Elastic and am looking for resources/insight on ingesting netflow from firewall logs and help with analysis. We are ingesting a few million events per day and I'd like to get to a point where not only do I get insight on the Netflow basics (top ports, destination, direction, etc) but also we are doing advanced analysis like automating a search for beaconing.
Would anyone be willing to point me in the right direction?
We use ElastiFlow (https://docs.elastiflow.com) for Netflow/IPFIX/sFlow data from our network. Their collector supports a lot more fields than other options and pulls more detail out of those fields. They also provide around 30 pre-built dashboards that can be easily imported into Kibana, and if you have a Platinum Elasticsearch subscription they have 100+ anomaly detection jobs for Elastic's ML engine. These detect things like network attacks and performance problems. There is a free version and a commercial version depending on your needs.
IMO ElastiFlow is so far ahead of any other solution for working with netflow data using Elasticsearch that it is the clear and obvious choice. Its better than most purpose-built netflow products as well.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.