August 10, 2016 at 14:00NetFlow v.9 Cisco ASA Analysis Using Logstash (ELK)
Perhaps many among those who were at least once puzzled by the search for the NetFlow v.9 analyzer program know that there are not so many free solutions available . Especially if it is an open source solution. In my case, I needed to receive, parse and visualize NetFlow v.9 cisco ASA 5585 traffic. For this I used ELK (Elasticsearch + Logstash + Kibana):
Here is the link to the official site .
1. This assembly was deployed to Red Hat Enterprise Linux 7 .
2. First, install Java , as their instructions on the site require:
# sudo yum install java
3. Install Elasticsearch (a full-text search solution built on top of Apache Lucene, but with additional amenities, such as easy scaling, replication and other joys that made elasticsearch is a very convenient and good solution for highly loaded projects with large data volumes) :
# sudo yum install download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/rpm/elasticsearch/2.3.4/elasticsearch-2.3.4.rpm
# sudo service elasticsearch start
4. Install Logstash (for building, filtering and then redirecting to the final data store) :
# sudo yum install download.elastic.co/logstash/logstash/packages/centos/logstash-2.3.4-1.noarch .rpm
# sudo service logstash start
5. Install Kibana (allows you to take \ search elasticsearch data and build many beautiful graphs) :
# sudo yum install download.elastic.co/kibana/kibana/kibana-4.5.3-1.x86_64. rpm
# systemctl enable kibana.service
# sudo service kibana start
6. Now you should have access to the site atlocalhost : 5601 in the status tab you can check whether all the modules you have connected.
7. Now we need to install the logstash-codec-netflow plugin:
# / opt / logstash / bin / logstash-plugin install logstash-codec-netflow
8. Now, after a successful installation, we put on top the new working version 2.1.1 logstash-codec- netflow:
# / opt / logstash / bin / logstash-plugin install --version 2.1.1 logstash-codec-netflow
9. Done! After installation, we can configure the config (/etc/logstash/conf.d):
# cd /etc/logstash/conf.d
# nano netflow.conf
10. From our config it follows that on cisco ASA you need to configure NetFlow v.9 reset to the ip address of our server, which listens on port 9996 (if you want, you can change it to your own).
Setting example:
access-list global_mpc extended permit ip any any
flow-export destination inside YOUR IP 9996
class-map global_class
match access-list global_mpc
policy-map global_policy
class global_class
flow-export event-type all destination YOUR IP
11. So, now You can check the result of our efforts. We use the command and verify that our work was not in vain:
# / opt / logstash / bin / logstash -e 'input {udp {port => 9996 codec => netflow}} output {stdout {codec => rubydebug}}'
At the beginning we will see only this:
This can last a couple of minutes, do not worry, the recording will change and we will get the desired result.
12. Next, go to localhost : 5601 we verify that you have received the data, we build the necessary values for you in tables and graphs.
So, what I would like to say at the end ... To begin with, you most likely have to install self-made plugins, and this is not a simple matter (at least for me), for this you need such a package (for mounting your “gem”, “ gemspec "):
# yum install rubygem-bundler
And this package to get some generic plugins from github .
# yum install git
In fact, I spent a lot of time searching for a solution to this issue, which prompted me to write this article (I don’t want anyone to strain too). I hope this manual was useful. Good luck in your endeavors!
Here is the link to the official site .
Spoiler
This product is an open source solution, which means that there were and will be many “bugs” that I was lucky to encounter. The working assembly will be presented below.
1. This assembly was deployed to Red Hat Enterprise Linux 7 .
2. First, install Java , as their instructions on the site require:
# sudo yum install java
3. Install Elasticsearch (a full-text search solution built on top of Apache Lucene, but with additional amenities, such as easy scaling, replication and other joys that made elasticsearch is a very convenient and good solution for highly loaded projects with large data volumes) :
# sudo yum install download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/rpm/elasticsearch/2.3.4/elasticsearch-2.3.4.rpm
# sudo service elasticsearch start
4. Install Logstash (for building, filtering and then redirecting to the final data store) :
# sudo yum install download.elastic.co/logstash/logstash/packages/centos/logstash-2.3.4-1.noarch .rpm
# sudo service logstash start
5. Install Kibana (allows you to take \ search elasticsearch data and build many beautiful graphs) :
# sudo yum install download.elastic.co/kibana/kibana/kibana-4.5.3-1.x86_64. rpm
# systemctl enable kibana.service
# sudo service kibana start
6. Now you should have access to the site atlocalhost : 5601 in the status tab you can check whether all the modules you have connected.
7. Now we need to install the logstash-codec-netflow plugin:
# / opt / logstash / bin / logstash-plugin install logstash-codec-netflow
8. Now, after a successful installation, we put on top the new working version 2.1.1 logstash-codec- netflow:
# / opt / logstash / bin / logstash-plugin install --version 2.1.1 logstash-codec-netflow
9. Done! After installation, we can configure the config (/etc/logstash/conf.d):
# cd /etc/logstash/conf.d
# nano netflow.conf
input {
udp {
port => 9996
type => "netflow"
codec => netflow {
versions => [5,9,10]
}
}
}
output {
if [type] == "netflow" {
elasticsearch {
hosts => localhost
index => "netflow-%{+YYYY.MM.dd}"
}
}
}
10. From our config it follows that on cisco ASA you need to configure NetFlow v.9 reset to the ip address of our server, which listens on port 9996 (if you want, you can change it to your own).
Setting example:
access-list global_mpc extended permit ip any any
flow-export destination inside YOUR IP 9996
class-map global_class
match access-list global_mpc
policy-map global_policy
class global_class
flow-export event-type all destination YOUR IP
11. So, now You can check the result of our efforts. We use the command and verify that our work was not in vain:
# / opt / logstash / bin / logstash -e 'input {udp {port => 9996 codec => netflow}} output {stdout {codec => rubydebug}}'
At the beginning we will see only this:
:message=>"No matching template for flow id 265", :level=>:warn}
:message=>"No matching template for flow id 263", :level=>:warn}
:message=>"No matching template for flow id 256", :level=>:warn}
:message=>"No matching template for flow id 265", :level=>:warn}
:message=>"No matching template for flow id 263", :level=>:warn}
:message=>"No matching template for flow id 260", :level=>:warn}
This can last a couple of minutes, do not worry, the recording will change and we will get the desired result.
12. Next, go to localhost : 5601 we verify that you have received the data, we build the necessary values for you in tables and graphs.
PS
So, what I would like to say at the end ... To begin with, you most likely have to install self-made plugins, and this is not a simple matter (at least for me), for this you need such a package (for mounting your “gem”, “ gemspec "):
# yum install rubygem-bundler
And this package to get some generic plugins from github .
# yum install git
In fact, I spent a lot of time searching for a solution to this issue, which prompted me to write this article (I don’t want anyone to strain too). I hope this manual was useful. Good luck in your endeavors!