Please Xuri, (or anyone) contribute a* "nifty netflow-to-syslog utility"*? What is possible with latest Rsyslog and compatible netflow utilities? ...implementation referenced in previous message threads (below ):
* Thanks,* *Kendall________* - [rsyslog] Off-Topic: rsyslog-like equivalent for NetFlow? <http://lists.adiscon.net/pipermail/rsyslog/2014-January/035794.html> ------------------------------ ....or maybe share/integrate it as an input module to rsyslog?! *salivate* On Fri, Jan 10, 2014 at 6:52 PM, Xuri Nagarin <secsubs at gmail.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> wrote: >* Let me check with my co-worker who wrote a nifty netflow-to-syslog utility *>* in C. Maybe we can share it as open source. *>>>>>* On Fri, Jan 10, 2014 at 1:20 PM, David Lang <david at lang.hm <http://lists.adiscon.net/mailman/listinfo/rsyslog>> wrote: *>>* > what sort of throughput can you get from logstash getting netflow logs *>* and *>* > delivering them to rsyslog? *>* > *>* > David Lang *>* > *>* > On Fri, 10 Jan 2014, Mike Hoskins (michoski) wrote: *>* > *>* > Date: Fri, 10 Jan 2014 20:58:03 +0000 *>* >> From: "Mike Hoskins (michoski)" <michoski at cisco.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >> *>* >> To: rsyslog-users <rsyslog at lists.adiscon.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >> Subject: Re: [rsyslog] Off-Topic: rsyslog-like equivalent for NetFlow? *>* >> *>* >> Logstash setup itself is straightforward (their docs are great), and I *>* can *>* >> attach the full config referenced below + patterns file specific to *>* Cisco, *>* >> minus my IPs and rabbitmq passwords of course...if that's helpful. ;-) *>* >> Nothing too exotic really. *>* >> *>* >> Right now I've got netflow in each colo going through logstash -> *>* rabbitmq *>* >> <- central rabbitmq -> elasticsearch -> kibana to make infosec happy. *>* The *>* >> bulk of the work is on es/kibana side to make pretty dashboards people *>* >> like, though they can tweak quite a bit themselves. *>* >> *>* >> I actually use rsyslog for an entirely different use case (high volume *>* >> application logs), but was thinking the above could be *>* >> modified...inserting rsyslog in the middle so you could output/archive *>* to *>* >> flat file as well as es. That way people who prefer traditional methods *>* >> like grep aren't left in the cold. Elasticsearch is amazing, but this *>* >> would give users a choice of interface. *>* >> *>* >> -----Original Message----- *>* >> From: Nick Syslog <rsyslog at nanoscopic.net <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >> Date: Friday, January 10, 2014 2:34 PM *>* >> To: rsyslog-users <rsyslog at lists.adiscon.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >> Subject: Re: [rsyslog] Off-Topic: rsyslog-like equivalent for NetFlow? *>* >> *>* >> I'm also interested in this solution as I'm about to implement *>* something *>* >>> similar in our enterprise as well... *>* >>> *>* >>> Either that or work on paying to develop something native to rsyslog to *>* >>> accept the traffic and redistribute it. *>* >>> *>* >>> *>* >>> On Fri, Jan 10, 2014 at 11:51 AM, Mike Hoskins (michoski) < *>* >>> michoski at cisco.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> wrote: *>* >>> *>* >>> Still working out all the details, but have had luck using logstash *>* >>>> behind *>* >>>> lb to accept netflow inpup, then filter/output as desired...even back *>* >>>> into *>* >>>> rsyslog. ;-) *>* >>>> *>* >>>> input { *>* >>>> *>* >>>> # Syslog inputs *>* >>>> udp { *>* >>>> host => "a.b.c.d" *>* >>>> port => 514 *>* >>>> type => "syslog" *>* >>>> } *>* >>>> tcp { *>* >>>> host => "a.b.c.d" *>* >>>> port => 514 *>* >>>> type => "syslog" *>* >>>> } *>* >>>> *>* >>>> # Netflow input *>* >>>> udp { *>* >>>> host => "a.b.c.d" *>* >>>> codec => netflow {} *>* >>>> port => 2055 *>* >>>> type => "netflow" *>* >>>> } *>* >>>> *>* >>>> # Dummy TCP ports for load balancer probes *>* >>>> tcp { *>* >>>> host => "a.b.c.d" *>* >>>> port => 514 *>* >>>> type => "dummy" *>* >>>> } *>* >>>> tcp { *>* >>>> host => "a.b.c.d" *>* >>>> port => 2055 *>* >>>> type => "dummy" *>* >>>> } *>* >>>> } *>* >>>> *>* >>>> *>* >>>> Last tcp bits being a hack to keep random garbage showing up from lb *>* >>>> probes (my filters drop type dummy). *>* >>>> *>* >>>> -----Original Message----- *>* >>>> From: Robert McIntyre <rjmcinty at hotmail.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >>>> Date: Friday, January 10, 2014 1:36 PM *>* >>>> To: "rsyslog at lists.adiscon.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>" <rsyslog at lists.adiscon.com <http://lists.adiscon.net/mailman/listinfo/rsyslog>> *>* >>>> Subject: [rsyslog] Off-Topic: rsyslog-like equivalent for NetFlow? *>* >>>> *>* >>>> Hello, folks! Apologies for this question; I know that it's *>* off-topic, *>* >>>>> but hope that it's not too far off. :) *>* >>>>> *>* >>>>> I have an infrastructure using rsyslog to receive, write to text *>* file, *>* >>>>> and forward syslog traffic. I now need to figure out a way to do the *>* >>>>> same things with NetFlow data. I'm querying the internet, but *>* haven't *>* >>>>> found anything as turnkey as rsyslog is for syslog. *>* >>>>> *>* >>>>> Any suggestions? *>* >>>>> *>* >>>>> Thanks! *>* >>>>> Robert* On Mon, May 19, 2014 at 10:22 PM, masoom alam <[email protected]> wrote: > Any activity on this thread. > > We are trying to get rid of Logstash. Netflow management is another strong > point that Logstash can manage. > > Thanks > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
