New to Elastic - Netflow Data Analysis

good morning all. I am very new to Elastic and am looking for resources/insight on ingesting netflow from firewall logs and help with analysis. We are ingesting a few million events per day and I'd like to get to a point where not only do I get insight on the Netflow basics (top ports, destination, direction, etc) but also we are doing advanced analysis like automating a search for beaconing.

Would anyone be willing to point me in the right direction?

We use ElastiFlow ( for Netflow/IPFIX/sFlow data from our network. Their collector supports a lot more fields than other options and pulls more detail out of those fields. They also provide around 30 pre-built dashboards that can be easily imported into Kibana, and if you have a Platinum Elasticsearch subscription they have 100+ anomaly detection jobs for Elastic's ML engine. These detect things like network attacks and performance problems. There is a free version and a commercial version depending on your needs.

The hardest part of setting up ElastiFlow is first setting up the Elastic Stack, and they provide a tutorial for that as well:

IMO ElastiFlow is so far ahead of any other solution for working with netflow data using Elasticsearch that it is the clear and obvious choice. Its better than most purpose-built netflow products as well.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.