Hi @manpreet! In short terms, here’s what I’m doing in order to visualize my network data:
On my Arch Linux ARM-based router, I’ve installed
the ipt-netflow-dkms-git AUR package. I then load that kernel module on-demand by including the following lines in /etc/shorewall/start:
run_iptables -I INPUT -j NETFLOW
run_iptables -I FORWARD -j NETFLOW
run_iptables -I OUTPUT -j NETFLOW
return 0
You configure the destination for netflow packets in /etc/modprobe.d/ipt-netflow.conf, mine looks like this:
options ipt_NETFLOW destination=127.0.0.1:2055 protocol=5
This is because I run a dynamic reverse proxy on the router to send netflow packets wherever Nomad is currently running logstash, but the tl;dr is that you point the module at wherever you’re running logstash.
The logstash config is simple due to the netflow module:
http.host: "0.0.0.0"
modules:
- name: netflow
var.elasticsearch.hosts: elasticsearch.service.consul
var.kibana.host: <my kibana hostname>
var.kibana.scheme: https
The steps to get Logstash connected to Elasticsearch is outside the scope of the guide I’ve written here. Does that make sense/are there other parts I could clarify?