The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

NetFlow is a network protocol that collects and monitors IP traffic flow data, providing insights into network usage, security threats, and performance. It helps analyze traffic patterns, detect anomalies, and troubleshoot network issues by capturing details such as source/destination IPs, ports, protocols, and bandwidth usage.

Requirement(s)

  • NetFlowV5, NetFlowV9, IPFIX

  • Graylog Enterprise version 6.0.1+

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:NetFlow Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “NetFlow Messages”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

NetFlow utilizies the NetFlow input that ingests multiple NetFlow product type logs in JSON format.

Log Format Example

NetFlowV5 [192.168.81.254]:67 <> [192.168.81.134]:68 proto:17 pkts:1 bytes:328

What is Provided

  • Rules to normalize and enrich NetFlow log messages.

NetFlow Log Message Processing

The Illuminate processing of NetFlow log messages provides the following:

  • Field extraction, normalization, and message enrichment for NetFlow log messages.
  • GIM Categorization of the following messages:
NetFlow Logtype GIM Category GIM Subcategory
filter network network.flow

NetFlow Overview Spotlight

The Illuminate Core Network Overview spotlight can be used to view NetFlow data.