If you are already using elasticsearch I would use elastiflow https://docs.elastiflow.com/docs/flowcoll/introduction/ There is also a flow collector available from elasticsearch and part of the ELK package but the one from elastiflow is the better one.
// Hans — On 17.04.2023, at 15:48, Brian Candler <b.cand...@pobox.com<mailto:b.cand...@pobox.com>> wrote: On 17/04/2023 13:38, Nikolaos Milas <nmi...@noa.gr><mailto:nmi...@noa.gr> wrote: I know that nfsen includes features for alerts but I was wondering whether there have been implementations that integrate nfsen with Splunk or Elastic / ELK Stack and/or guidelines to follow with such implementation. I think there are two possible and very different things you might be asking for there: 1. Getting nfsen alerts into Splunk/Elastic 2. Getting all the raw nfdump Netflow records into Splunk/Elastic (and doing all the analysis and alerting there) For case 1, it should just be a question of a small alerting plugin: https://nfsen.sourceforge.net/#mozTocId859236 For case 2, I don't think nfdump is the ideal data feed, but there are lots of other options. Elastic's own Filebeat<https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html> is free; there are lots of commercial options too, e.g. ntop-ng/nprobe, elastiflow. By the way, back from 2014 there is an nfsen plugin for detecting DDoS attacks (https://github.com/CERT-GOV-GE/gabriel). Has anyone used it? Not here, and I notice it's 9 years old. Also note that whilst nfdump/nfcapd are actively maintained, nfsen isn't. However I did come across this recently: https://github.com/pavel-odintsov/fastnetmon _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net<mailto:Nfsen-discuss@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
_______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
