Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Netflow dashboards based on Logstash Netflow #12857

Merged
merged 4 commits into from
Jul 13, 2019
Merged

Add Netflow dashboards based on Logstash Netflow #12857

merged 4 commits into from
Jul 13, 2019

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jul 11, 2019
edited
Loading

Convert Logstash dashboards to work on Filebeat netflow data.

Changes

  • Change all UUIDs to not conflict with Logstash dashboards.
  • Rename fields used in dashboards.
	// These fields don't exist in the same capacity in ECS so just use destination.
	"geoip.autonomous_system": "destination.as.organization.name",
	"geoip.city_name":         "destination.geo.city_name",
	"geoip.country_name":      "destination.geo.country_name",
	"geoip.location":          "destination.geo.location",

	"geoip_dst.autonomous_system": "destination.as.organization.name",
	"geoip_src.autonomous_system": "source.as.organization.name",
	"host":                        "agent.hostname",
	"netflow.bytes":               "network.bytes",
	"netflow.direction":           "network.direction",
	"netflow.dst_addr":            "destination.ip",
	"netflow.dst_port_name":       "destination.port",
	"netflow.flow_locality":       "flow.locality",
	"netflow.input_snmp":          "netflow.ingress_interface",
	"netflow.ip_version":          "network.type",
	"netflow.last_switched":       "event.end",
	"netflow.output_snmp":         "netflow.egress_interface",
	"netflow.packets":             "network.packets",
	"netflow.protocol_name":       "network.transport",
	"netflow.src_addr":            "source.ip",
	"netflow.src_port_name":       "source.port",
	"netflow.tcp_flags_label":     "netflow.tcp_control_bits",
	"netflow.tos":                 "netflow.ip_class_of_service",
	"netflow.version":             "netflow.exporter.version",
	"netflow.vlan":                "netflow.vlan_id",
  • Change index pattern from netflow-* to filebeat-*
  • Add "input.type: netflow" filter. Uses can remove this to view other
    flow data in dashboards (this mostly works fine b/c of ECS).
  • Prepend [Filebeat Netflow] to dashboards. And append [Filebeat Netflow] to visualizations.
  • Update netflow pipeline to enrich flows with ASN info.

overview
conv-partners
traffic-analysis
top-n
geo
raw-flows
flow-exporters

@andrewkroh andrewkroh requested review from a team as code owners July 11, 2019 05:25
@andrewkroh
Add Netflow dashboards based on Logstash Netflow
bd4a644 
Convert Logstash dashboards to work on Filebeat netflow data.

Changes

- Change all UUIDs to not conflict with Logstash dashboards.
- Rename fields used in dashboards.
```
	// These fields don't exist in the same capacity in ECS so just destination.
	"geoip.autonomous_system": "destination.as.organization.name",
	"geoip.city_name":         "destination.geo.city_name",
	"geoip.country_name":      "destination.geo.country_name",
	"geoip.location":          "destination.geo.location",

	"geoip_dst.autonomous_system": "destination.as.organization.name",
	"geoip_src.autonomous_system": "source.as.organization.name",
	"host":                        "agent.hostname",
	"netflow.bytes":               "network.bytes",
	"netflow.direction":           "network.direction",
	"netflow.dst_addr":            "destination.ip",
	"netflow.dst_port_name":       "destination.port",
	"netflow.flow_locality":       "flow.locality",
	"netflow.input_snmp":          "netflow.ingress_interface",
	"netflow.ip_version":          "network.type",
	"netflow.last_switched":       "event.end",
	"netflow.output_snmp":         "netflow.egress_interface",
	"netflow.packets":             "network.packets",
	"netflow.protocol_name":       "network.transport",
	"netflow.src_addr":            "source.ip",
	"netflow.src_port_name":       "source.port",
	"netflow.tcp_flags_label":     "netflow.tcp_control_bits",
	"netflow.tos":                 "netflow.ip_class_of_service",
	"netflow.version":             "netflow.exporter.version",
	"netflow.vlan":                "netflow.vlan_id",
```

- Change index pattern from netflow-* to filebeat-*
- Add "input.type: netflow" filter. Uses can remove this to view other
  flow data in dashboards (this mostly works fine b/c of ECS).
- Prepend [Filebeat] to dashboards. And append [Filebeat] to visualizations.
- Update netflow pipeline to enrich flows with ASN info.
@andrewkroh andrewkroh force-pushed the feature/fb/filebeat-netflow-dashboards branch from af7d8fc to bd4a644 Compare July 11, 2019 05:26
@andrewkroh andrewkroh requested a review from jsoriano July 11, 2019 20:38
@andrewkroh andrewkroh merged commit b70c8c2 into elastic:master Jul 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoriano jsoriano jsoriano approved these changes

Assignees
No one assigned
Labels
enhancement Filebeat Filebeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrewkroh @jsoriano