Setup logstash to receive netflow from a pfsense server

343 views
Skip to first unread message

Rich Houston

unread,
Oct 20, 2018, 4:06:51 AM10/20/18
to security-onion
Hi all, first time poster and lover of SO!

Sorry if this has been asked and answered but I cant seem to find an answer.

I have a few PfSense servers I would like to track netflow date on my SO server.
I have setup the logstash.yml with:

modules:
- name: netflow
var.input.udp.port: 5001

but not sure how to enable/setup the module. Also how do I setup and access the date from with in Kibana.

Is this all doable?

Any help would be appreciated. Thanks in advance!

Rich

Wes Lambert

unread,
Oct 21, 2018, 7:28:14 AM10/21/18
to securit...@googlegroups.com
Hi Rich,

I'm not sure the Netflow module is available in our current version of Logstash.  You could try installing it, or seeing if the netflow codec (included with our version of Logstash) does enough of what you need:


You could also try using Elastiflow:


Have you also considered sending syslog from Pfsense?  This is something we already support.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.


--

Rich Houston

unread,
Oct 21, 2018, 1:12:25 PM10/21/18
to security-onion
On Sunday, October 21, 2018 at 6:28:14 AM UTC-5, Wes wrote:
> Hi Rich,
>

Hi Wes, thanks for the input...

>
> I'm not sure the Netflow module is available in our current version of Logstash.  You could try installing it, or seeing if the netflow codec (included with our version of Logstash) does enough of what you need:
>
>
> https://www.elastic.co/guide/en/logstash/current/netflow-module.html
>
> https://www.elastic.co/guide/en/logstash/5.5/plugins-codecs-netflow.html
>
> https://discuss.elastic.co/t/logstash-netflow-codec-vs-module/127290
>
>
>
> You could also try using Elastiflow:
>
>
> https://github.com/robcowart/elastiflow

Oh yeah, that will totally work. Thanks for that. Can it be implemented in SO with out breaking anything? So... forgive my ignorance on this, but with the docker containers, where and how would I run the configuration that the link provide?

>
>
>
> Have you also considered sending syslog from Pfsense?  This is something we already support.

Yup, doing that already. Works great and lead me to the flow question.

Im trying to have flow data available to hunt down unusual network traffic and for network capacity planning and tracking.

Thanks to everyone who works on SO and answer questions. Mad props to you all.

Wes Lambert

unread,
Oct 24, 2018, 8:20:14 AM10/24/18
to securit...@googlegroups.com
Oh yeah, that will totally work. Thanks for that. Can it be implemented in SO with out breaking anything? So... forgive my ignorance on this, but with the docker containers, where and how would I run the configuration that the link provide? 

You can certainly try it, however we don't officially support it.  There is an example here:


Thanks,
Wes

Rich Houston

unread,
Oct 27, 2018, 5:22:06 PM10/27/18
to securit...@googlegroups.com
May I humbly request netfow be added to future version of SO... In my opinion this would bring another great feature to already fantastic product.

Wes Lambert

unread,
Oct 28, 2018, 8:05:51 AM10/28/18
to securit...@googlegroups.com
Hi Rich,

We are tracking this via an open issue here:


Thanks!
Wes
Reply all
Reply to author
Forward
0 new messages