Netflow Agent for ECK
This guide complements the Installing Elastic Cloud on Kubernetes (ECK) on k3s guide.
-
Install
netflow-agent
-
We will add an agent to manage the netflow ingest
-
In Kibana, create an agent policy
-
Management -> Fleet -> Agent policies -> Create agent policy
-
Call it Netflow Agent
-
Uncheck “Collect system logs and metrics”
-
Keep the defaults otherwise
-
When it’s created, click on the 3 dots under Actions for your new policy, and select View policy
- Note the id (it will be in a GUID format, e.g.
a8944404-e5a7-4675-b9e4-e3814e3abebb
)
- Note the id (it will be in a GUID format, e.g.
-
-
In Kibana, take note of the enrollment token for new policy:
-
Management -> Fleet -> Enrollment tokens
-
Find the Default token for your new Agent policy
-
Make note of the token secret (it will be as a Base64 string, e.g.
RWpJay1aWUJrODlFcWpQLVpWc1M6emEwOEhQZVNUNnVPQXZCSTc2SGRjQQ==
)
-
-
Create a new agent with the agent policy and enrollment token
-
Add the Netflow integration to your Syslog Agent policy
-
Management -> Fleet -> Agent policies -> Netflow Agent -> Add integration
-
Search for “Netflow Records” and click Add NetFlow Records
-
Change the defaults:
-
Listen Address:
0.0.0.0
-
Listen Port:
2055
-
-
Save and continue, applying to the Netflow Agent policy and deploying to the agent.
-
-
Set up a DNS entry for your syslog endpoint
-
Traefik won’t do this for you, since syslog is a UDP endpoint
-
Find your cluster IP address:
kubectl get nodes -o jsonpath='{.items[0].status.addresses}'
-
Create a DNS A record and test it resolves
-
-
Configure Netflow Sources
This will be on a source-by-source basis. An example from Mikrotik: Mikrotik Tutorial