Flowbeat collects Netflow V9 data generated by network devices and writes the data to Elasticsearch.
You configure your router to send flow data over UDP to Flowbeat which listens on port 2055. It will translate the data to a JSON event and output it. The full list of supported outputs is Elasticsearch, Logstash, Kafka, Redis, file, or stdout.
This project is very much a work in progress.
The config is contained in flowbeat.yml. Use -c <filename> to point Flowbeat
at a different config file.
To use the geoip and ASN processors you need to download the GeoLite2 City and ASN databases from MaxMind: https://dev.maxmind.com/geoip/geoip2/geolite2/
flowbeat:
# UDP address to listen on for Netflow packets.
#netflow.address: ':2055'
# Size of the socket read buffer.
#netflow.read_buffer: 65536
processors:
# DNS reverse lookup on IPs in flow event.
- dns:
type: reverse
fields:
source.ip: source.hostname
destination.ip: destination.hostname
device.ip: device.hostname
- geoip:
fields:
source.ip: source.geo
destination.ip: destination.geo
database: GeoLite2-City.mmdb
- asn:
fields:
source.ip: source.as
destination.ip: destination.as
database: GeoLite2-ASN.mmdb
output.elasticsearch:
hosts: ["localhost:9200"]
# Download it.
go get -d -u github.com/andrewkroh/flowbeat
# Build it.
cd $GOPATH/src/github.com/andrewkroh/flowbeat
# Run it.
./flowbeat -e -c flowbeat.yml -d "*"