Newbie qn: ingesting netflow

hjazz6 · September 1, 2021, 7:19am

Hi all,

I'm a newbie in ELK, and would like to send Netflow data to ElasticSearch via Filebeat (both on the same server). I'm starting to read all the documentation and configuration guides, but I'm a bit confused about the Filebeat configuration.

It seems like there are 2 ways to configure Netflow input: manually using filebeat.inputs in filebeat.yml, or using the Netflow module. Am I right to say if I choose to use the filebeat module, I don't have to modify the filebeat.yml file other than the ES and Kibana portion (setting the host to 0.0.0.0)? I'll just need to modify netflow.yml (also setting the host to 0.0.0.0) and enable it?

My netflow (ipfix) will also include an app_id field that was added by the vendor. Will the netflow module be able to handle it?

Thank you.

Marius_Iversen · September 1, 2021, 9:38am

That's correct @hjazz6 , when using a module, the steps should be quite similar for any module:

run filebeat modules enable MODULENAME, in this case netflow.
Configure the output.elasticsearch and the setup.kibana parameters in filebeat.yml.
Configure the relevant module settings in ./modules.d/modulename.yml
Run filebeat setup
Either start the filebeat service, or if you just want to test it, you can run it in the foreground with filebeat -e, so you can see the logs directly in your CLI.

system · September 29, 2021, 11:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.