Hi..I am sending netflow data to my server via filebeat and the indices are successfully created as well as its implemented on siem too. But there are many information which are unavailable like geo location, protocols name, pam (port application mapping), etc. So now I am thinking to send the logs to filebeat from filebeat I will configure the output to logstash and from there to elasticsearch.
This is the typical layout which I am planning
Netflow logs------>filebeat------->logstash------->elasticsearch.
If I create a index using this mechanism then will I be able to use SIEM feature?? or I won't be able to implement?? Previously using logstash output I wasn't able to use SIEM feature as it didn't support.
Hi,
With Filebeat you should at least have geolocation when using Netflow.
Are you sure you're using the netflow module and not just the netflow input? The module will enrich the netflow data with geolocation.
For the other enrichments (protocol names and pam), do you know if this data comes from netflow or is it some enrichment that was previously performed in Logstash?
Can you share a current JSON document from Filebeat's Netflow and a capture of the Netflow traffic (pcap) that arrives to Filebeat for diagnosis?
Also, which device is generating the netflow? Is it a particular brand/model of network device?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.