• Install netflow-agent

  • We will add an agent to manage the netflow ingest

  • In Kibana, create an agent policy

    • Management -> Fleet -> Agent policies -> Create agent policy

    • Call it Netflow Agent

    • Uncheck “Collect system logs and metrics”

    • Keep the defaults otherwise

    • When it’s created, click on the 3 dots under Actions for your new policy, and select View policy

      • Note the id (it will be in a GUID format, e.g. a8944404-e5a7-4675-b9e4-e3814e3abebb)
  • In Kibana, take note of the enrollment token for new policy:

    • Management -> Fleet -> Enrollment tokens

    • Find the Default token for your new Agent policy

    • Make note of the token secret (it will be as a Base64 string, e.g. RWpJay1aWUJrODlFcWpQLVpWc1M6emEwOEhQZVNUNnVPQXZCSTc2SGRjQQ==)

  • Create a new agent with the agent policy and enrollment token

  • Add the Netflow integration to your Syslog Agent policy

    • Management -> Fleet -> Agent policies -> Netflow Agent -> Add integration

    • Search for “Netflow Records” and click Add NetFlow Records

    • Change the defaults:

      • Listen Address: 0.0.0.0

      • Listen Port: 2055

    • Save and continue, applying to the Netflow Agent policy and deploying to the agent.

  • Set up a DNS entry for your syslog endpoint

    • Traefik won’t do this for you, since syslog is a UDP endpoint

    • Find your cluster IP address:

        kubectl get nodes -o jsonpath='{.items[0].status.addresses}'
      
    • Create a DNS A record and test it resolves

  • Configure Netflow Sources

This will be on a source-by-source basis. An example from Mikrotik: Mikrotik Tutorial

Leave a comment

Your email address will not be published. Required fields are marked *

Loading...