First of all, I’d like to explain in simple terms what Elastiflow is all about. ElastiFlow is a NetFlow analyzer that works with the Elastic Stack.
The Elastiflow Analyzer can collect various network flows, such as netflow or sflow, and write them to Elastic, taking into account the ECS format. In addition, the Elastiflow Analyzer provides a number of ready-made dashboards that make analysis of the flow data much easier.
Of course, it’s also possible to create your own dashboards, or to change the dashboards that are already included.
One of our customers purchased Elastiflow some time ago, and it was now time to install the latest version 5 in their NetEye SIEM environment. Since I was already familiar with the previous version, I was able to make a good comparison between the two.
The prerequisite for the installation is a NetEye SIEM environment, which is already based on Elastic. The new Elastiflow analyzer can easily be installed on the NetEye server via an rpm package. You should then create an additional user in Elastic to give it access to the Elastiflow analyzer.
Since Elastiflow is started as a systemd service, it has a configuration file, located at:
/etc/systemd/system/flowcoll.service.d/flowcoll.conf
In it you can configure the Elastiflow user you just created with an associated password and the UDP port over which the flow can be received. To enable visualization of geolocation on the Elastiflow dashboards, the geolite databases must be linked to the /etc/elastiflow/maxmind
directory. The Elasticsearch settings must also be activated and configured.
In addition, the ElastiFlow user must be added to the logstash group, and finally, the dashboards have to be downloaded as ndjson files from the Elastiflow site and imported into the Elastic system.
If all configuration parameters have been set successfully, the Elastiflow Analyzer can be started as a systemd service:
# systemct start flowcoll.service
# systemct enable flowcoll.service
If flows are already being sent to the defined port, they will be displayed in the dashboards.
In my opinion, the installation of the new Elastiflow version 5 is now much easier than before.
Incidentally, I’d like to inform you that the customer for whom I installed the Elastiflow Analyzer operates a NetEye SIEM cluster. So I had to configure the Elastiflow Analyzer to work in a cluster environment. This, too, was easy to do.
Finally, I must mention that Würth Phoenix is an Elastiflow partner and thus supports and offers integration of the Elastiflow module via the NetEye SIEM.