SlideShare a Scribd company logo

DIY Netflow Data Analytic with ELK Stack by CL Lee

MyNOG, profile picture
MyNOG

This document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze netflow data. It describes IP ServerOne's infrastructure managing over 5000 servers across multiple data centers. Netflow data is collected and sent to Logstash for processing, then stored in Elasticsearch for querying and visualization in Kibana. Examples are given of how the data can be used, such as identifying top talkers, traffic profiling by ASN, and troubleshooting with IP conversation history. The ELK stack is concluded to be a powerful yet not difficult tool for analyzing netflow traffic.

Education
1 of 37
Downloaded 133 times
1
2
3
4
5
6
Most read
7
8
9
Most read
10
11
Most read
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
NetFlow Data Analytics with ELK Stack
•  Founded in 2003 •  Over 60 employees •  Managing over 5000 physical servers •  Total 250 racks at 5 data centers across MY, SG and HK •  Contributing 10% of Malaysia’s domestic traffic •  Approximately 6.8 Gbit/s total traffic sending to the Internet at peak •  Up to 1.2TB DDoS mitigation capacity About IP ServerOne
Why do we need to use NetFlow?
Who contributed to this spike? Most companies have their MRTG configured But MRTG cannot tell you which IP is receiving a spike traffic (such as the above graph)
You probably may need to know where the majority of your traffic comes from, right? Who uses the most bandwidth here?
A NetFlow graph would be able to breakdown the usage for your outbound / inbound traffic
MRTG GRAPH NETFLOW GRAPH Replacing your MRTG with a NetFlow graph
Why do we choose ElasticSearch, Logstash, And Kibana (ELK)?
•  Before I get to know ELK stack, I was using MySQL to store all the NetFlow information. •  I wrote a PHP application that converts NetFlow information into a MySQL statement. •  That was too slow on the conversion performance and the data retrieval was a complete nightmare. •  There is no function / feature to get traffic statistic in the histogram form. Why ELK? It’s just too difficult to run this in MySQL
•  Speed is the primary reason that I have chosen ELK •  It has a lot of codec, which I can just plug and play •  COST; it runs on commodity hardware and it works just fine with Nearline SAS Hard drives •  Open Source •  Support Clustering •  It has SQL like syntax, so data searching is much more easier •  It has a very high performance; we had a working environment of 100Kflows per second Why ELK?
Alternative to ELK •  We did consider to use InfluxDB The OpenSource edition doesn’t support clustering. •  OpenTSDB The setup is very time-consuming. •  MongoDB. This is a great DB; however, we still prefer to use ElasticSearch.
How to record the NetFlow Data?
The NetFlow is being collected with the following setup NetFlow Source Logstash Elas6cSearch Elas6cSearch API + Custom App
Adding BGP table information into the ElasticSearch NetFlow Source Elas6cSearch BGP routing table entry for 103.3.174.0/24, version 737937 Paths: (34 available, best #21, table default) Not advertised to any peer Refresh Epoch 1 3356 3491 45352 4.69.184.193 from 4.69.184.193 (4.69.184.193) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:666 3356:2012 3491:400 3491:413 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 3549 3356 2914 45352 208.51.134.254 from 208.51.134.254 (67.16.168.191) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:3 3356:86 3356:575 3356:666 3356:2011 3356:11940 3549:2581 3549:30840 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 20912 1267 45352 212.66.96.126 from 212.66.96.126 (212.66.96.126) Origin incomplete, localpref 100, valid, external Community: 1267:167 1267:200 20912:65001 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 route-views> BGP Rou6ng Table PHP + Golang Logstash ExaBGP
We use NetFlow v9 in our projects Here is the field that we keep
The hardware specification used for keeping our NetFlow The software used to run our NetFlow CentOS 7 64bit Operating System Java Hardware vs Software 1 x Intel Xeon 8 cores 2.1Ghz Processor 32GB RAM 4 x 2TB HDD 1 x Gigabit Network Card ElasticSearch, Logstash PHP MySQL
How to put up the software? CentOS Installation You can follow the way you do normally; but please remember to keep most of the free space into /var.
ElasticSearch Installation ElasticSearch is a search engine based on Lucene. It provides a distributed architecture, support multi-tenancy and full-text search engine with an HTTP web interface.
Start ElasticSearch [root@elk-stack ~]# systemctl daemon-reload [root@elk-stack ~]# systemctl start elasticsearch [root@elk-stack ~]# systemctl enable elasticsearch [root@elk-stack ~]# curl -XGET ‘http://localhost:9200/_cat/indices?v’ health status index uuid pri rep docs.count docs.deleted store.size pri.store.size yellow open stat-20180603 byH89tWFQSS_R9kS_QPGPw 5 1 54822544 0 6.9gb 6.9gb yellow open stat-20180616 qZYSua4CQDa18GGMc8uiHQ 5 1 51830338 0 6.6gb 6.6gb yellow open stat-20180604 PYdGUxX7SZ2aaFRV-ng4NQ 5 1 57828976 0 7.3gb 7.3gb yellow open stat-20180630 FwrBuf6FQ-6SlyZhknATLQ 5 1 50014372 0 6.4gb 6.4gb yellow open stat-20180618 _Nloca3jROCQ2vChWmDoGw 5 1 54976264 0 7gb 7gb yellow open stat-20180526 ObGvcFbfTDuuk_MtZNlCQA 5 1 51836183 0 6.6gb 6.6gb yellow open stat-20180615 t_CxQoauRUiVRTaJRPz2eQ 5 1 55490519 0 7gb 7gb To check what are the indexes available in the ElasticSearch:
Logstash Installation Logstash is one of the softwares inside the ELK stack. The main objective for this software is to convert NetFlow data into ElasticSearch acceptable format.
Configure Logstash to decode NetFlow LS_HOME/bin/logstash-plugin install logstash-codec-sflow LS_HOME/bin/logstash-plugin update logstash-codec-netflow LS_HOME/bin/logstash-plugin update logstash-input-udp LS_HOME/bin/logstash-plugin update logstash-filter-dns input { udp { port => 2055 codec => netflow } } output { elasticsearch { protocol => "http" host => "127.0.0.1" } stdout { codec => rubydebug } } Create a netflow.conf /etc/logstash/
Kibana Installation Kibana is one of the GUI tools that helps retrieve data from ElasticSearch. It can also come with the graphing capability to manipulate the Doc in ElasticSearch to be something more meaningful to system engineers.
Kibana Configuration vi /etc/kibana/kibana.yml Kibana does not listen to any IP besides 127.0.0.1; you will need to update the configuration file to make the Kibana accessible from outside the host.
A quick look on the data stored in ElasticSearch If the data is successfully collected by Logstash, this is what will be shown in Kibana:
How to query ElasticSearch for top 10 IP talkers?
ElasticSearch has it’s own Query Language called Query DSL Here is a sample query command for the IP range 103.64.13.0/24 at the specific time period. (formatted in epoch milliseconds)
Kibana is easy to use… However, it’s still complicated for my NOC team We make use of ElasticSearch Client API for PHP, to make a query interface so that they can do the job quicker and simplify the learning curve.
To integrate with PHP, we use Elasticsearch-PHP It works quite well with our PHP environment
A Query screen for the NOC engineer Here is the result of what we have developed, which makes our engineers’ life easier
Samples on how we use the NetFlow Data
Outgoing traffic by ASN and it’s AS-PATH This allows us to know which ASN the traffic flows; and helps us optimize the planning and traffic engineering according to AS Number.
Incoming traffic by Source ASN This is also helpful when it comes to traffic engineering
Identify customer traffic profile Identify the estimated bandwidth cost for each customer. See if the customer traffic utilization is more towards international or local bandwidth.
IP Conversation History It’s something really useful for troubleshooting a network related issue, such as spamming activity, NTP attack within the network, and ability to identify the compromised host quickly.
Conclusion ElasticSearch, Logstash and Kibana is a powerful tool to keep and analyze the NetFlow traffic. In addition, it’s not too difficult to deploy and run.
ANY QUESTIONS?
ThanksOUR INFRASTRUCTURE; YOUR GROWTH E-mail: cllee@ip.my Mobile: +6 012-331 9286 03 2026 1688 www.ipserverone.com ISO Certificate No: IS 651738

More Related Content

PPTX
BGP and Traffic Engineering with Akamai
Internet Society
 
PPTX
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
 
PDF
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
PDF
Network visibility and control using industry standard sFlow telemetry
pphaal
 
PPTX
Cisco ASA Firewalls
Bryley Systems Inc.
 
PDF
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
PPTX
Border Gatway Protocol
Shashank Asthana
 
PDF
netfilter and iptables
Kernel TLV
 
BGP and Traffic Engineering with Akamai
Internet Society
 
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
 
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
Network visibility and control using industry standard sFlow telemetry
pphaal
 
Cisco ASA Firewalls
Bryley Systems Inc.
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Border Gatway Protocol
Shashank Asthana
 
netfilter and iptables
Kernel TLV
 

What's hot (20)

PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
PDF
P4, EPBF, and Linux TC Offload
Open-NFP
 
PDF
VLAN vs VXLAN
GLC Networks
 
PDF
Linux Linux Traffic Control
SUSE Labs Taipei
 
PDF
Building DataCenter networks with VXLAN BGP-EVPN
Cisco Canada
 
PPTX
OpenvSwitch Deep Dive
rajdeep
 
PDF
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki
 
PDF
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
PDF
BGP Techniques for Network Operators
APNIC
 
PPTX
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
MehtabRohela
 
PDF
TRex Traffic Generator - Hanoch Haim
harryvanhaaren
 
PPT
OpenFlow tutorial
openflow
 
PDF
Cisco Live Brksec 3032 - NGFW Clustering
ib_cims
 
PDF
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
PDF
How Netflix Tunes EC2 Instances for Performance
Brendan Gregg
 
PPTX
PostgreSQL and Linux Containers
Jignesh Shah
 
PPTX
Failover cluster
Chinmoy Jena
 
PDF
BIRD Routing Daemon
APNIC
 
PDF
Kubernetes Networking
CJ Cullen
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
P4, EPBF, and Linux TC Offload
Open-NFP
 
VLAN vs VXLAN
GLC Networks
 
Linux Linux Traffic Control
SUSE Labs Taipei
 
Building DataCenter networks with VXLAN BGP-EVPN
Cisco Canada
 
OpenvSwitch Deep Dive
rajdeep
 
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
BGP Techniques for Network Operators
APNIC
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
MehtabRohela
 
TRex Traffic Generator - Hanoch Haim
harryvanhaaren
 
OpenFlow tutorial
openflow
 
Cisco Live Brksec 3032 - NGFW Clustering
ib_cims
 
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
How Netflix Tunes EC2 Instances for Performance
Brendan Gregg
 
PostgreSQL and Linux Containers
Jignesh Shah
 
Failover cluster
Chinmoy Jena
 
BIRD Routing Daemon
APNIC
 
Kubernetes Networking
CJ Cullen
 
Ad

Similar to DIY Netflow Data Analytic with ELK Stack by CL Lee (20)

PDF
ELK stack introduction
abenyeung1
 
PDF
Log analysis with the elk stack
Vikrant Chauhan
 
PPTX
ELK Ruminating on Logs (Zendcon 2016)
Mathew Beane
 
PPTX
Elastic Stack Introduction
Vikram Shinde
 
PPTX
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
PPTX
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
PPTX
Elk ruminating on logs
Mathew Beane
 
PPTX
ELK Solutions Enablement Session - 17th March'2020
Ashnikbiz
 
PPTX
Centralized log-management-with-elastic-stack
Rich Lee
 
PPTX
Attack monitoring using ElasticSearch Logstash and Kibana
Prajal Kulkarni
 
PPTX
Elastic stack Presentation
Amr Alaa Yassen
 
PDF
Logs aggregation and analysis
Divante
 
PDF
Null Bachaav - May 07 Attack Monitoring workshop.
Prajal Kulkarni
 
PPTX
Analise NetFlow in Real Time
Piotr Perzyna
 
PPTX
The Elastic Stack as a SIEM
John Hubbard
 
PDF
2015 03-16-elk at-bsides
Jeremy Cohoe
 
PPTX
Elasticsearch features and ecosystem
Pavel Alexeev
 
PPT
How ElasticSearch lives in my DevOps life
琛琳 饶
 
PDF
[131] packetbeat과 elasticsearch
NAVER D2
 
PDF
What's new in Elasticsearch v5
Idan Tohami
 
ELK stack introduction
abenyeung1
 
Log analysis with the elk stack
Vikrant Chauhan
 
ELK Ruminating on Logs (Zendcon 2016)
Mathew Beane
 
Elastic Stack Introduction
Vikram Shinde
 
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Elk ruminating on logs
Mathew Beane
 
ELK Solutions Enablement Session - 17th March'2020
Ashnikbiz
 
Centralized log-management-with-elastic-stack
Rich Lee
 
Attack monitoring using ElasticSearch Logstash and Kibana
Prajal Kulkarni
 
Elastic stack Presentation
Amr Alaa Yassen
 
Logs aggregation and analysis
Divante
 
Null Bachaav - May 07 Attack Monitoring workshop.
Prajal Kulkarni
 
Analise NetFlow in Real Time
Piotr Perzyna
 
The Elastic Stack as a SIEM
John Hubbard
 
2015 03-16-elk at-bsides
Jeremy Cohoe
 
Elasticsearch features and ecosystem
Pavel Alexeev
 
How ElasticSearch lives in my DevOps life
琛琳 饶
 
[131] packetbeat과 elasticsearch
NAVER D2
 
What's new in Elasticsearch v5
Idan Tohami
 
Ad

More from MyNOG (20)

PDF
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MyNOG
 
PDF
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
MyNOG
 
PDF
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
MyNOG
 
PDF
Building a Connected Future: The Power of Interconnection
MyNOG
 
PDF
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
MyNOG
 
PDF
Strategies for Seamless Recovery in a Dynamic Data Landscape
MyNOG
 
PDF
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
MyNOG
 
PDF
Peering Personal MyNOG-10
MyNOG
 
PDF
Embedded CDNs in 2023
MyNOG
 
PDF
Edge virtualisation for Carrier Networks
MyNOG
 
PDF
Equinix: New Markets, New Frontiers
MyNOG
 
PDF
Securing the Onion: 5G Cloud Native Infrastructure
MyNOG
 
PDF
Hierarchical Network Controller
MyNOG
 
PDF
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
MyNOG
 
PDF
Cleaning up your RPKI invalids
MyNOG
 
PDF
Introducing Peering LAN 2.0 at DE-CIX
MyNOG
 
PDF
Load balancing and Service in Kubernetes
MyNOG
 
PDF
Cloud SDN: BGP Peering and RPKI
MyNOG
 
PDF
SDM – A New (Subsea) Cable Paradigm
MyNOG
 
PDF
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
MyNOG
 
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MyNOG
 
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
MyNOG
 
SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE
MyNOG
 
Building a Connected Future: The Power of Interconnection
MyNOG
 
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
MyNOG
 
Strategies for Seamless Recovery in a Dynamic Data Landscape
MyNOG
 
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
MyNOG
 
Peering Personal MyNOG-10
MyNOG
 
Embedded CDNs in 2023
MyNOG
 
Edge virtualisation for Carrier Networks
MyNOG
 
Equinix: New Markets, New Frontiers
MyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
MyNOG
 
Hierarchical Network Controller
MyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
MyNOG
 
Cleaning up your RPKI invalids
MyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
MyNOG
 
Load balancing and Service in Kubernetes
MyNOG
 
Cloud SDN: BGP Peering and RPKI
MyNOG
 
SDM – A New (Subsea) Cable Paradigm
MyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
MyNOG
 

Recently uploaded (20)

PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 

DIY Netflow Data Analytic with ELK Stack by CL Lee

  • 1. NetFlow Data Analytics with ELK Stack
  • 2. •  Founded in 2003 •  Over 60 employees •  Managing over 5000 physical servers •  Total 250 racks at 5 data centers across MY, SG and HK •  Contributing 10% of Malaysia’s domestic traffic •  Approximately 6.8 Gbit/s total traffic sending to the Internet at peak •  Up to 1.2TB DDoS mitigation capacity About IP ServerOne
  • 3. Why do we need to use NetFlow?
  • 4. Who contributed to this spike? Most companies have their MRTG configured But MRTG cannot tell you which IP is receiving a spike traffic (such as the above graph)
  • 5. You probably may need to know where the majority of your traffic comes from, right? Who uses the most bandwidth here?
  • 6. A NetFlow graph would be able to breakdown the usage for your outbound / inbound traffic
  • 8. Why do we choose ElasticSearch, Logstash, And Kibana (ELK)?
  • 9. •  Before I get to know ELK stack, I was using MySQL to store all the NetFlow information. •  I wrote a PHP application that converts NetFlow information into a MySQL statement. •  That was too slow on the conversion performance and the data retrieval was a complete nightmare. •  There is no function / feature to get traffic statistic in the histogram form. Why ELK? It’s just too difficult to run this in MySQL
  • 10. •  Speed is the primary reason that I have chosen ELK •  It has a lot of codec, which I can just plug and play •  COST; it runs on commodity hardware and it works just fine with Nearline SAS Hard drives •  Open Source •  Support Clustering •  It has SQL like syntax, so data searching is much more easier •  It has a very high performance; we had a working environment of 100Kflows per second Why ELK?
  • 11. Alternative to ELK •  We did consider to use InfluxDB The OpenSource edition doesn’t support clustering. •  OpenTSDB The setup is very time-consuming. •  MongoDB. This is a great DB; however, we still prefer to use ElasticSearch.
  • 12. How to record the NetFlow Data?
  • 13. The NetFlow is being collected with the following setup NetFlow Source Logstash Elas6cSearch Elas6cSearch API + Custom App
  • 14. Adding BGP table information into the ElasticSearch NetFlow Source Elas6cSearch BGP routing table entry for 103.3.174.0/24, version 737937 Paths: (34 available, best #21, table default) Not advertised to any peer Refresh Epoch 1 3356 3491 45352 4.69.184.193 from 4.69.184.193 (4.69.184.193) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:666 3356:2012 3491:400 3491:413 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 3549 3356 2914 45352 208.51.134.254 from 208.51.134.254 (67.16.168.191) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:3 3356:86 3356:575 3356:666 3356:2011 3356:11940 3549:2581 3549:30840 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 20912 1267 45352 212.66.96.126 from 212.66.96.126 (212.66.96.126) Origin incomplete, localpref 100, valid, external Community: 1267:167 1267:200 20912:65001 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 route-views> BGP Rou6ng Table PHP + Golang Logstash ExaBGP
  • 15. We use NetFlow v9 in our projects Here is the field that we keep
  • 16. The hardware specification used for keeping our NetFlow The software used to run our NetFlow CentOS 7 64bit Operating System Java Hardware vs Software 1 x Intel Xeon 8 cores 2.1Ghz Processor 32GB RAM 4 x 2TB HDD 1 x Gigabit Network Card ElasticSearch, Logstash PHP MySQL
  • 17. How to put up the software? CentOS Installation You can follow the way you do normally; but please remember to keep most of the free space into /var.
  • 18. ElasticSearch Installation ElasticSearch is a search engine based on Lucene. It provides a distributed architecture, support multi-tenancy and full-text search engine with an HTTP web interface.
  • 19. Start ElasticSearch [root@elk-stack ~]# systemctl daemon-reload [root@elk-stack ~]# systemctl start elasticsearch [root@elk-stack ~]# systemctl enable elasticsearch [root@elk-stack ~]# curl -XGET ‘http://localhost:9200/_cat/indices?v’ health status index uuid pri rep docs.count docs.deleted store.size pri.store.size yellow open stat-20180603 byH89tWFQSS_R9kS_QPGPw 5 1 54822544 0 6.9gb 6.9gb yellow open stat-20180616 qZYSua4CQDa18GGMc8uiHQ 5 1 51830338 0 6.6gb 6.6gb yellow open stat-20180604 PYdGUxX7SZ2aaFRV-ng4NQ 5 1 57828976 0 7.3gb 7.3gb yellow open stat-20180630 FwrBuf6FQ-6SlyZhknATLQ 5 1 50014372 0 6.4gb 6.4gb yellow open stat-20180618 _Nloca3jROCQ2vChWmDoGw 5 1 54976264 0 7gb 7gb yellow open stat-20180526 ObGvcFbfTDuuk_MtZNlCQA 5 1 51836183 0 6.6gb 6.6gb yellow open stat-20180615 t_CxQoauRUiVRTaJRPz2eQ 5 1 55490519 0 7gb 7gb To check what are the indexes available in the ElasticSearch:
  • 20. Logstash Installation Logstash is one of the softwares inside the ELK stack. The main objective for this software is to convert NetFlow data into ElasticSearch acceptable format.
  • 21. Configure Logstash to decode NetFlow LS_HOME/bin/logstash-plugin install logstash-codec-sflow LS_HOME/bin/logstash-plugin update logstash-codec-netflow LS_HOME/bin/logstash-plugin update logstash-input-udp LS_HOME/bin/logstash-plugin update logstash-filter-dns input { udp { port => 2055 codec => netflow } } output { elasticsearch { protocol => "http" host => "127.0.0.1" } stdout { codec => rubydebug } } Create a netflow.conf /etc/logstash/
  • 22. Kibana Installation Kibana is one of the GUI tools that helps retrieve data from ElasticSearch. It can also come with the graphing capability to manipulate the Doc in ElasticSearch to be something more meaningful to system engineers.
  • 23. Kibana Configuration vi /etc/kibana/kibana.yml Kibana does not listen to any IP besides 127.0.0.1; you will need to update the configuration file to make the Kibana accessible from outside the host.
  • 24. A quick look on the data stored in ElasticSearch If the data is successfully collected by Logstash, this is what will be shown in Kibana:
  • 25. How to query ElasticSearch for top 10 IP talkers?
  • 26. ElasticSearch has it’s own Query Language called Query DSL Here is a sample query command for the IP range 103.64.13.0/24 at the specific time period. (formatted in epoch milliseconds)
  • 27. Kibana is easy to use… However, it’s still complicated for my NOC team We make use of ElasticSearch Client API for PHP, to make a query interface so that they can do the job quicker and simplify the learning curve.
  • 28. To integrate with PHP, we use Elasticsearch-PHP It works quite well with our PHP environment
  • 29. A Query screen for the NOC engineer Here is the result of what we have developed, which makes our engineers’ life easier
  • 30. Samples on how we use the NetFlow Data
  • 31. Outgoing traffic by ASN and it’s AS-PATH This allows us to know which ASN the traffic flows; and helps us optimize the planning and traffic engineering according to AS Number.
  • 32. Incoming traffic by Source ASN This is also helpful when it comes to traffic engineering
  • 33. Identify customer traffic profile Identify the estimated bandwidth cost for each customer. See if the customer traffic utilization is more towards international or local bandwidth.
  • 34. IP Conversation History It’s something really useful for troubleshooting a network related issue, such as spamming activity, NTP attack within the network, and ability to identify the compromised host quickly.
  • 35. Conclusion ElasticSearch, Logstash and Kibana is a powerful tool to keep and analyze the NetFlow traffic. In addition, it’s not too difficult to deploy and run.
  • 37. ThanksOUR INFRASTRUCTURE; YOUR GROWTH E-mail: cllee@ip.my Mobile: +6 012-331 9286 03 2026 1688 www.ipserverone.com ISO Certificate No: IS 651738