Pre-build image can be found here: https://hub.docker.com/r/hsrnetwork/docker-logstash-netflow
This Docker image can be used to collect Netflow data using Logstash. In the default configuration of this image, you will be able to store Netflow entries in JSON files. Additionally it prints the received flows to STDOUT (needs to be enabled first). Further Netflow processing logic can be easily configured inside the logstash.conf configuration.
Pull the image directly from hsrnetwork/docker-logstash-netflow using the desired version or simply use the latest tag.
- Create a data directory which will be mounted to the Docker container and will be used to store the Netflow data dump file. By default this image uses the host directory
/opt/netflow-datawhich will be mounted at/datainside the container. - Change the
logstash.confconfiguration file according to your needs.
To start the conainer use:
docker run -it \
-e "TZ=Europe/Zurich" \
-p 9995:9995/udp \
-v /opt/netflow-data:/data \
-v `pwd`/logstash.conf:/srv/logstash.conf \
hsrnetwork/docker-logstash-netflow:latestYou can customize the collection of netflow data by using Netflow Codec Configuraiton Options.
This Docker image runs logstash -f /srv/logstash.conf by default. Override this CMD if you are using another logstash configuration file/path or would like to add some additional logstash command parameters.
Since there is no default value for the netflow_definitions provided by the Netflow codec plugin, I added a default netflow_definitions configuration file inside this Docker image (from logstash-plugins/logstash-codec-netflow). To change this configuration simply "override" the definition by mounting a Docker volume at the same destination path. To achive this, use -v /your/path/your_netflow.yaml:/srv/netflow.yaml.
This Docker Hub build is improved by always using the latest tag from the official docker.elastic.co Docker registry. See the following links to get more information: