Stipo wrote:
+1 ElastiFlow, the templates are great, a great quickstart to using netflow on elk stack.
out of curiosity, I set up a test ElastiFlow installation on a small site recently. It's completely gorgeous from an eye candy point of view and it's pretty easy to see how you could tap into the ELK APIs to do interesting data mangling. On the down-side, it used ~40x the amount of disk space that nfsen used for the same accounting period, and even though it was only handling less than 1G traffic at a NF sample rate of 1:10, logstash and elastisearch managed to peg between 4-6 cores on the server which was handling it. Granted, these were only E5606 (2011-era Westmere Xeon) cpus, but even still there was an alarming mismatch between the amount of compute power required compared to the amount of netflow traffic being handled. It would be interesting to hear the sort of cpu requirements needed for larger installations. Obviously you can scale elkstack sideways, so it wouldn't be difficult to build out something which performed well. The issue is that burning cpu time can become an expensive proposition. Nick