Netflow from Graylog / ElasticSearch

As title states, this could be interesting.

vizay:
I've been doing a lot of work with sflow (which is to a certain extent very similar in behaviour) lately.

It's a very different kind of dataset to store in comparison to what is normally stored in nms. Would the current setup be able to take that kind of load, or is it more a vision of pulling in already mashed data, only storing for example specific graph data and showing it in nms?

Rosiak:

sFlow support is not merged in Graylog yet, in the pipeline tho'!

I was thinking of storing flow data in Graylog and use it as data-backend similar to what we do with the syslog data(Syslog -> Graylog), then present it in Libre.

We can present the raw flow-data in a data table and should be able to make some kind of graphs using vis.js.

If it makes sense?

vizay:
That definitely sounds like the reasonable plan to go ahead with when it comes to integration, since a back end like elastic or similar is very much needed to handle the huge amount of data coming in from flows (even more in netflow compared to sFlow).

However, maybe it's a better approach to look at it like a elasticsearch integration, instead of graylog specifically, since the elastic server most likely would be the place where you suck the data in from.
This would also make it possible for people to pull in data from other solutions, like the ELK stack (where I've accidently just finished an sFlow pipeline consisting of a python parser and some logstash filtering) :)

It's deffo worth some research!
1 Like