NetFlow Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

NetFlow is a network protocol that collects and monitors IP traffic flow data, providing insights into network usage, security threats, and performance. It helps analyze traffic patterns, detect anomalies, and troubleshoot network issues by capturing details such as source/destination IPs, ports, protocols, and bandwidth usage.

Supported Versions

  • NetFlow v5

  • NetFlow v9

  • IPFIX

Requirements

  • Graylog Enterprise version 6.0.1+

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:NetFlow Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "NetFlow Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

NetFlowV5 [192.168.81.254]:67 <> [192.168.81.134]:68 proto:17 pkts:1 bytes:328

{"_destinationTransportPort":53,"_gl2_receive_timestamp":"2025-07-22 10:36:44.649","_sourceIPv4Address":"192.168.40.222","_ipClassOfService":0,"_gl2_processing_timestamp":"2025-07-22 10:36:44.670","_samplerId":1,"_egressInterface":0,"_octetDeltaCount":86,"_sourceTransportPort":33859,"_flowEndMilliseconds":"2025-07-22T10:30:48.527Z","_gl2_processing_duration_ms":21,"_destinationIPv4Address":"8.8.8.8","_tcpControlBits":0,"message":"Ipfix [192.168.40.222]:33859 <> [8.8.8.8]:53 proto:17 pkts:1 bytes:86","_ingressInterface":0,"_packetDeltaCount":1,"_ipVersion":4,"_flowDirection":0,"_protocolIdentifier":17,"_flowStartMilliseconds":"2025-07-22T10:30:48.514Z","host":"graylog","level":6,"version":"1.1","_replayed_log":"true"}

{"_destinationTransportPort":80,"_gl2_receive_timestamp":"2025-07-22 10:36:44.649","_sourceIPv4Address":"192.168.40.222","_ipClassOfService":0,"_gl2_processing_timestamp":"2025-07-22 10:36:44.686","_samplerId":1,"_egressInterface":0,"_octetDeltaCount":356,"_sourceTransportPort":35196,"_flowEndMilliseconds":"2025-07-22T10:31:24.921Z","_gl2_processing_duration_ms":37,"_destinationIPv4Address":"185.125.190.49","_tcpControlBits":27,"message":"Ipfix [192.168.40.222]:35196 <> [185.125.190.49]:80 proto:6 pkts:5 bytes:356","_ingressInterface":0,"_packetDeltaCount":5,"_ipVersion":4,"_flowDirection":0,"_protocolIdentifier":6,"_flowStartMilliseconds":"2025-07-22T10:31:24.519Z","host":"graylog","level":6,"version":"1.1","_replayed_log":"true"}

{"_destinationTransportPort":59236,"_gl2_receive_timestamp":"2025-07-22 10:34:44.594","_sourceIPv4Address":"91.189.91.49","_ipClassOfService":0,"_gl2_processing_timestamp":"2025-07-22 10:34:44.610","_samplerId":1,"_egressInterface":0,"_octetDeltaCount":405,"_sourceTransportPort":80,"_flowEndMilliseconds":"2025-07-22T10:16:25.342Z","_gl2_processing_duration_ms":16,"_destinationIPv4Address":"192.168.40.222","_tcpControlBits":27,"message":"Ipfix [91.189.91.49]:80 <> [192.168.40.222]:59236 proto:6 pkts:4 bytes:405","_ingressInterface":0,"_packetDeltaCount":4,"_ipVersion":4,"_flowDirection":0,"_protocolIdentifier":6,"_flowStartMilliseconds":"2025-07-22T10:16:24.513Z","host":"graylog","level":6,"version":"1.1","_replayed_log":"true"}

What is Provided

  • Rules to normalize and enrich NetFlow log messages.

  • Graylog Information Model categorization and enforcement fields for flow record and network connection events.

Log Collection

NetFlow utilizes the NetFlow input that ingests multiple NetFlow product type logs in JSON format.

The IPFIX UDP input can be configured in Graylog to receive flow data from a Linux-based exporter using PMACCT with NFPROBE support.

Configuring an IPFIX Input

For Graylog to receive IPFIX data, you must prepare the Linux source and configure the input:

  1. Install PMACCT and NFPROBE on the Linux system. Verify installation and plugin support using: pmacctd -V

  2. Create /etc/pmacct/pmacctd.conf and specify:

    1. Interface: The network interface to monitor.

    2. Exporter IP: IP address of the Linux source.

    3. Collector Address: Graylog server IP.

    4. Port Number: Standard IPFIX port (4739).

    5. Format: IPFIX.

  3. Start the exporter using: sudo /usr/local/sbin/pmacctd -f /etc/pmacct/pmacctd.conf

  4. Launch an IPFIX UDP input in Graylog and configure:

    1. Bind Address: IP address of the Graylog node.

    2. Port: Use standard port 4739.

    3. Recv Buffer Size: Adjust as needed based on expected flow volume.

  5. Generate network events from the Linux system and confirm that Graylog's IPFIX input is receiving messages.

  6. Inspect the exported fields to ensure completeness and accuracy.

GIM Categorization

GIM categorization is provided for the following NetFlow log types:

NetFlow Logtype gim_event_type_code GIM Category GIM Subcategory gim_event_type
All flow records 120500 network network.flow flow record
All flow records 120000 network network.network connection network connection

NetFlow Overview Spotlight

The Illuminate Core Network Overview spotlight can be used to view NetFlow data.