Skip to content

Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack

License

Notifications You must be signed in to change notification settings

kkrautwald/elastiflow

 
 

Repository files navigation

ElastiFlow™

Tweet

BREAKING NEWS! We have released the first beta of the next generation of ElastiFlow™ which introduces the new ElastiFlow Unified Flow Collector for Netflow, IPFIX and sFlow.

Some of the enhancements included in the all-new collector include:

* Proper management templates from different devices. - NO MORE template conflicts!

* Improved Scalability - Over 10x more flows/sec than Logstash, over 3x more than Filebeat!

* Support for Option Templates - Dynamic enrichment of network interface name and application names and more!

* Telemetry Support - sFlow Counter Samples and other metrics from Cisco, Calix and more!

* Gracefully handles “unknown” Fields - No more dropped flows when a single unsupported field is encountered.

* Fully decodes and translates all available data - DSCP, TCP Options, ECN, Fragmentation Flags, and more.

You can signup for access to the beta... HERE

A Docker container with the new collector is available... HERE

The repository with the new dashboards is available... HERE

You can also join the ElastiFlow community Slack... HERE

When you sign up, we will notify you with additional information and links to the setup instructions. We also want to be able to reach out to you and get your feedback.

ElastiFlow™ provides network flow data collection and visualization using the Elastic Stack (Elasticsearch, Logstash and Kibana). It supports Netflow v5/v9, sFlow and IPFIX flow types (1.x versions support only Netflow v5/v9).

ElastiFlow™

I was inspired to create ElastiFlow™ following the overwhelmingly positive feedback received to an article I posted on Linkedin... WTFlow?! Are you really still paying for commercial solutions to collect and analyze network flow data?

SUPPORTING ElastiFlow™

Today literally tens of thousands of users leverage ElastiFlow™ As a powerful alternative to expensive commercial flow collecting solutions. As its popularity has increased, so has the time commitment necessary to support users and provide further enhancements. If you are one of the organizations who appreciate the value of ElastiFlow™, I would like to ask you to consider becoming a sponsor. The support from sponsors allows me dedicate more time and energy to the project. To become a sponsor, please visit ElastiFlow™ on patreon.

A special thanks to...

VyoPath - www.vyopath.com

VyoPath

VyoPath is the trusted advisor to business leaders seeking innovative, creative and strategic solutions to help them plan for and navigate the challenges of the ever changing digital landscape. Speak to VyoPath for ElastiFlow-as-a-Service.

VyoPath, Inc.
9689 Avalon Drive
Frisco, Texas 75035

Phone: +1 469 850 2419
Email: [email protected]

Dynamite Analytics - dynamite.ai

Dynamite Analytics

Dynamite-NSM is the open-source network security monitor developed by Dynamite Analytics. It provides network and cybersecurity operators with holistic insights into their networks while giving them the ability to deep-dive into lower-level activities. Dynamite-NSM builds upon the ELK stack (ElasticSearch, LogStash, Kibana) and is coupled with the fine-tuned Zeek sensor (a.k.a. Bro), flow data inputs (powered by ElastiFlow), and Suricata IDS security alerts. The solution now includes the Dynamite Lab component made of the python API for easy data access and the integrated JupyterHub data science environment.

Dynamite Analytics
7742 Spalding Drive #359
Norcross, GA 30092
USA

User Testimonials

Organization Feedback
Uber "ElastiFlow has significantly reduced our network flow monitoring costs. The flexibility and extensibility inherent to ElastiFlow was essential for an easy integration with our infrastructure monitoring suite."
ESnet “Right now this is my personal favorite analytics tool. I use it extensively and am always finding a new way to leverage it."
Payback "We're using it since two months in our new datacenter and our network admins are very happy and impressed."
Catapult Systems "Of all the netflow tools I’ve tested it has, by far, the best visualizations."
Imagine Software "We absolutely love ElastiFlow and recently stood it up in production. Looking forward to new functionality and dashboards."

Getting Started

NOTE - Please refer to INSTALL.md for installation instructions.

ElastiFlow™ is built using the Elastic Stack, including Elasticsearch, Logstash and Kibana. Please refer to INSTALL.md for instructions on how to install and configure ElastiFlow™.

If you are new to the Elastic Stack, this video goes beyond a simple default installation of Elasticsearch and Kibana. It discusses real-world best practices for hardware sizing and configuration, providing production-level performance and reliability.

0003_es_install

Additionally local SSD storage should be considered as mandatory! For an in-depth look at how different storage options compare, and in particular how bad HDD-based storage is for Elasticsearch (even in multi-drive RAID0 configurations) you should watch this video...

0001_es_storage

NOTE: Please make sure that have reviewed KNOWN_ISSUES.md prior to getting started.

Kibana App Compatibility

SIEM

SIEM: Hosts

SIEM: Network Map

SIEM: Network Statistics

Logs

Logs

Provided Dashboards

The following dashboards are provided.

NOTE: The dashboards are optimized for a monitor resolution of 1920x1080.

Overview

Overview

Top-N

There are separate Top-N dashboards for Top Talkers, Services, Conversations and Applications.

Top Talkers

Top Talkers

Top Services

Top Services

Top Conversations

Top Conversations

Top Applications

Top Applications

Threats

ElastiFlow™ includes a dictionary of public IP addresses that are known to have a poor reputation. This dictionary is built from many OSINT data sources, normalized to a common taxonomy. The Threats dashboard uses this IP reputation information to highlight three threat/risk types.

  1. Public Threats - Public clients with a poor IP reputation that are reaching private addresses.
  2. At-Risk Servers - Private Servers that are being reached by clients with a poor IP reputation.
  3. High-Risk Clients - Private clients that are accessing public servers which have a poor reputation.

Threats

Flows

There are separate Sankey dashboards for Client/Server, Source/Destination and Autonomous System perspectives. The sankey visualizations are built using the new Vega visualization plugin.

Client/Server Flows

Client/Server Flows

Source/Destination Flows

Source/Destination Flows

Autonomous System Flows

Autonomous System Flows

Geo IP

There are separate Geo Location dashboards for Client/Server and Source/Destination perspectives.

Client/Server Geo IP

Client/Server Geo IP

Source/Destination Geo IP

Source/Destination Geo IP

AS Traffic

Provides a view of traffic to and from Autonomous Systems (public IP ranges)

AS Traffic

Flow Exporters

Flow Exporters

Traffic Details

Provides more detailed breakdown of various network traffic characteristics.

Traffic Types

Traffic Types

Traffic Attributes

Traffic Attributes

Traffic Locality

Traffic Locality

Flow Records

Client/Server

Client/Server

Source/Destination

Source/Destination

Ziften ZFlow

ElastiFlow™ v3.4.0 added support for IPFIX records from Ziften's ZFlow agent. In addition to being fully integrated with the standard dashboards, a stand-alone ZFlow dashboards displays network traffic based on user and command data provided by ZFlow. Ziften ZFlow

Attribution

This product includes GeoLite2 data created by MaxMind, available from (http://www.maxmind.com)

About

Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 70.9%
  • Dockerfile 29.1%