search

robcowart / elastiflow

Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack
Other
2.48k stars 596 forks source link

How to sFlow #15

Closed murrant closed 6 years ago

murrant commented 6 years ago

You mention sFlow in your LinkedIn article, but I don't see any mention of it here. How can I configure sflow to work with your filters/dashboard?

I tried a very simplistic approach without success :D

murrant commented 6 years ago

I'm attempting to translate the sflow to similar netflow fields. This is what I have, but it isn't working at all yet. Time to go read up on logstash filters.

        mutate {
            id => "sflow-normalize"
            add_field => {
                "[netflow][direction]" => "ingress"
                "[netflow][ip_version]" => "IPv4"
                "[netflow][version]" => "sFlow"
            }
            rename => {
                "[sflow][src_ip]" => "[netflow][src_addr]"
                "[sflow][src_mask_len]" => "[netflow][src_mask_len]"
                "[sflow][src_port]" => "[netflow][src_port]"
                "[sflow][dst_ip]" => "[netflow][dst_addr]"
                "[sflow][dst_mask_len]" => "[netflow][dst_mask_len]"
                "[sflow][dst_port]" => "[netflow][dst_port]"
                "[sflow][frame_length_times_sampling_rate]" => "[netflow][bytes]"
                "[sflow][sampling_rate]" => "[netflow][packets]"
                "[sflow][ip_protocol]" => "[netflow][protocol]"
            }
        }
robcowart commented 6 years ago

I do not have any plans to add sFlow support at the moment. You may want to try using sflowtool to convert sFlow records to Netflow v5 and forward the output ElastiFlow.