Service Provider NetFlow Collectors

• Previous message (by thread): Service Provider NetFlow Collectors
• Next message (by thread): Service Provider NetFlow Collectors
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We rolled a large(ish) ElasticSearch cluster last year out of SuperMicro Microclouds (3U, 8 nodes per chassis, Xeon-D based processors), mostly 32GB of RAM per node, and M.2 PCIe SSDs as well as HDD storage.  ES is a finicky beast to maintain. It can handle a node completely dying or disappearing from the network, but not when one runs out of space (at least not gracefully).  Maintaining retention and rotation is tedious at best (yay curator).  We’re dumping a boatload of log data there, as well as Flow data using Elastiflow, which provides the necessary collector bits as well as all the pretty Kibana graphs and stuff.  Probably overbuilt, but I can pretty much keep whatever logs we want in perpetuity, we have plenty of headroom, and searching is incredibly fast.

ELK is an awesome set of tools, but be warned, there be dragons.  Admin’ing even a small cluster can be time consuming and frustrating, and requires a pretty stout linux and server background, or at least some really good troubleshooting skills and an ability to turn to the code when the docs fall short.  Doing a larger cluster could easily be a full time job.  Still, all in all, I’m happy with the cost of ours, including my time building it and continued time maintaining it, compared to what the yearly outlay was going to be for Kentik.

-nick

On 31 Dec 2018, at 11:40, Mike Hammett <nanog at ics-il.net<mailto:nanog at ics-il.net>> wrote:

I just recently rolled out Elastiflow. Lots of great information.



-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com<http://www.ics-il.com/>

Midwest-IX
http://www.midwest-ix.com<http://www.midwest-ix.com/>

________________________________
From: "Michel 'ic' Luczak" <lists at benappy.com<mailto:lists at benappy.com>>
To: "Erik Sundberg" <ESundberg at nitelusa.com<mailto:ESundberg at nitelusa.com>>
Cc: nanog at nanog.org<mailto:nanog at nanog.org>
Sent: Monday, December 31, 2018 3:40:40 AM
Subject: Re: Service Provider NetFlow Collectors

Don’t underestimate good old ELK
https://www.elastic.co/guide/en/logstash/current/netflow-module.html
+ https://github.com/robcowart/elastiflow

BR, ic

On 31 Dec 2018, at 04:29, Erik Sundberg <ESundberg at nitelusa.com<mailto:ESundberg at nitelusa.com>> wrote:

Hi Nanog….

We are looking at replacing our Netflow collector. I am wonder what other service providers are using to collect netflow data off their Core and Edge Routers. Pros/Cons… What to watch out for any info would help.

We are mainly looking to analyze the netflow data. Bonus if it does ddos detection and mitigation.

We are looking at
ManageEngine Netflow Analyzer
PRTG
Plixer – Scrutinizer
PeakFlow
Kentik
Solarwinds NTA


Thanks in advance…

Erik


________________________________

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.

• Previous message (by thread): Service Provider NetFlow Collectors
• Next message (by thread): Service Provider NetFlow Collectors
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]