Spiffy Netflow tools?
nick at foobar.org
Tue Mar 27 11:22:28 UTC 2018
> +1 ElastiFlow, the templates are great, a great quickstart to using
> netflow on elk stack.
out of curiosity, I set up a test ElastiFlow installation on a small
site recently. It's completely gorgeous from an eye candy point of view
and it's pretty easy to see how you could tap into the ELK APIs to do
interesting data mangling.
On the down-side, it used ~40x the amount of disk space that nfsen used
for the same accounting period, and even though it was only handling
less than 1G traffic at a NF sample rate of 1:10, logstash and
elastisearch managed to peg between 4-6 cores on the server which was
handling it. Granted, these were only E5606 (2011-era Westmere Xeon)
cpus, but even still there was an alarming mismatch between the amount
of compute power required compared to the amount of netflow traffic
being handled. It would be interesting to hear the sort of cpu
requirements needed for larger installations. Obviously you can scale
elkstack sideways, so it wouldn't be difficult to build out something
which performed well. The issue is that burning cpu time can become an
More information about the NANOG