search

robcowart / elastiflow

Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack
Other
2.48k stars 592 forks source link

Filebeat Netflow #246

Closed loko-it closed 5 years ago

loko-it commented 5 years ago

Not a issue

Filebeat 6.6 now has Netflow input, this is interesing as you now have TCP transport and TLS encryption of flow records. Would be nice to have elastiflow be compatible with this new function

https://github.com/elastic/beats/issues/9399

Filebeat adds a new NetFlow input, which can be used to receive these Netflow and IPFIX records over UDP. It supports NetFlow v1, v5, v6, v7, v8, v9 and IPFIX.

robcowart commented 5 years ago

I am not sure how this gives you "TCP transport and TLS encryption of flow records". It is still collecting flows via UDP. ElastiFlow currently supports TCP for IPFIX, and the Logstash elasticsearch output can be easily configured for TLS.

I do believe there are benefits to moving away from Logstash, especially to get better throughput, and as I have mentioned elsewhere I have been working on a high-performance collector with this goal. However this will not involve using the Filebeat netflow collector as it simply fails to meet the level of functionality that I believe is necessary, even for an MVP/beta.