Getting netflow into HELK

[mother2110]

Sorry for the noob question but where would I configure filebeats to accept netflow traffic on port UDP 2055 in HELK? Any instructions out there?

[priamai]

I don't see any preconfigured filebeat pipeline into HELK, however all you have to do is to add a new pipeline into Logstash configuration (read the other thread about SonicWalls) but instead use the Filebeat module for Netflow processing. It will look like this: FileBeat (NetflowModule)-> Logstash -> ElasticSearch -> Kibana Dashboards The Dashboards needs to be generated with the Filebeat templates. We have to start to think about how to configure all this additional processing streams in a config file to avoid having too many installation options. I am thinking maybe having a second option menu specifically for adding Logstash pipelines would be the best choice. But I am not the author so this is just a suggestion.

[mother2110]

Thanks @priamai Are there any written instructions on how to do this? This is the very first time working with ELK and I am a complete dumbass right now. I just need a free system that I can collect logs from a few sonicwalls out there to watch out for bad stuff.

[priamai]

We can do step by step, first we would need the SonicWalls file logs on a repository. Then we try first Logstash with input file and output console to see if they have been parsed. Then we add FileBeat as input and make sure still works. Then we add ES as output. Once the chan is working we will attempt to modify the HELK files with the configuration required.

[priamai]

This is a good diagram description @mother2110 to understand what a pipeline is: https://www.elastic.co/guide/en/logstash/current/first-event.html

[mother2110]

Thanks @priamai I really appreciate your responses.

[priamai]

I also found this interesting article in Japanese: https://designetwork.daichi703n.com/entry/2019/03/16/elastiflow-netflow The english translation from Chrome is not too bad, there is basically a pre-made ElastiFlow docker container. We could integrate their Logstash configuration and the Kibana dashboard into HELK. But we have to try it first.

[Cyb3rWard0g]

Thank you @priamai for sharing those resources. @mother2110 feel free to re-open this issue or create a new if you still have any additional questions. thank you!