The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

NetFlow is a network protocol that collects and monitors IP traffic flow data, providing insights into network usage, security threats, and performance. It helps analyze traffic patterns, detect anomalies, and troubleshoot network issues by capturing details such as source/destination IPs, ports, protocols, and bandwidth usage.

Requirements

  • NetFlowV5, NetFlowV9, IPFIX

  • Graylog Enterprise version 6.0.1+

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:NetFlow Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "NetFlow Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

NetFlowV5 [192.168.81.254]:67 <> [192.168.81.134]:68 proto:17 pkts:1 bytes:328

{"_destinationTransportPort":53,"_gl2_receive_timestamp":"2025-07-22 10:36:44.649","_sourceIPv4Address":"192.168.40.222","_ipClassOfService":0,"_gl2_processing_timestamp":"2025-07-22 10:36:44.670","_samplerId":1,"_egressInterface":0,"_octetDeltaCount":86,"_sourceTransportPort":33859,"_flowEndMilliseconds":"2025-07-22T10:30:48.527Z","_gl2_processing_duration_ms":21,"_destinationIPv4Address":"8.8.8.8","_tcpControlBits":0,"message":"Ipfix [192.168.40.222]:33859 <> [8.8.8.8]:53 proto:17 pkts:1 bytes:86","_ingressInterface":0,"_packetDeltaCount":1,"_ipVersion":4,"_flowDirection":0,"_protocolIdentifier":17,"_flowStartMilliseconds":"2025-07-22T10:30:48.514Z","host":"graylog","level":6,"version":"1.1","_replayed_log":"true"}

{"_destinationTransportPort":80,"_gl2_receive_timestamp":"2025-07-22 10:36:44.649","_sourceIPv4Address":"192.168.40.222","_ipClassOfService":0,"_gl2_processing_timestamp":"2025-07-22 10:36:44.686","_samplerId":1,"_egressInterface":0,"_octetDeltaCount":356,"_sourceTransportPort":35196,"_flowEndMilliseconds":"2025-07-22T10:31:24.921Z","_gl2_processing_duration_ms":37,"_destinationIPv4Address":"185.125.190.49","_tcpControlBits":27,"message":"Ipfix [192.168.40.222]:35196 <> [185.125.190.49]:80 proto:6 pkts:5 bytes:356","_ingressInterface":0,"_packetDeltaCount":5,"_ipVersion":4,"_flowDirection":0,"_protocolIdentifier":6,"_flowStartMilliseconds":"2025-07-22T10:31:24.519Z","host":"graylog","level":6,"version":"1.1","_replayed_log":"true"}

{"_destinationTransportPort":59236,"_gl2_receive_timestamp":"2025-07-22 10:34:44.594","_sourceIPv4Address":"91.189.91.49","_ipClassOfService":0,"_gl2_processing_timestamp":"2025-07-22 10:34:44.610","_samplerId":1,"_egressInterface":0,"_octetDeltaCount":405,"_sourceTransportPort":80,"_flowEndMilliseconds":"2025-07-22T10:16:25.342Z","_gl2_processing_duration_ms":16,"_destinationIPv4Address":"192.168.40.222","_tcpControlBits":27,"message":"Ipfix [91.189.91.49]:80 <> [192.168.40.222]:59236 proto:6 pkts:4 bytes:405","_ingressInterface":0,"_packetDeltaCount":4,"_ipVersion":4,"_flowDirection":0,"_protocolIdentifier":6,"_flowStartMilliseconds":"2025-07-22T10:16:24.513Z","host":"graylog","level":6,"version":"1.1","_replayed_log":"true"}

What is Provided

  • Rules to normalize and enrich NetFlow log messages

Log Collection

NetFlow utilizies the NetFlow input that ingests multiple NetFlow product type logs in JSON format.

Configuring a IPFIX Input

For Graylog to receive IPFIX data, you must prepare the Linux source and configure the input:

  1. Install PMACCT and NFPROBE on the Linux system. Verify installation and plugin support using: pmacctd -V

  2. Create /etc/pmacct/pmacctd.conf and specify:

    • Interface: The network interface to monitor.

    • Exporter IP: IP address of the Linux source.

    • Collector Address: Graylog server IP address.

    • Port Number: Standard IPFIX port (4739).

    • Format: IPFIX.

  3. Start the exporter using: sudo /usr/local/sbin/pmacctd -f /etc/pmacct/pmacctd.conf

  4. Launch an IPFIX UDP input in Graylog and configure:

    • Bind Address: IP address of the Graylog node.

    • Port: Use standard port 4739.

    • Recv Buffer Size: Adjust as needed based on expected flow volume.

  5. Generate network events from the Linux system and confirm that Graylog’s IPFIX input is receiving messages.

NetFlow Log Message Processing

The Illuminate processing of NetFlow log messages provides the following:

NetFlow Logtype GIM Category GIM Subcategory
filter network network.flow

NetFlow Overview Spotlight

The Illuminate Core Network Overview spotlight can be used to view NetFlow data.