NetFlow with Elastic-Stack

Written by Stefan on Tue 02 August 2022. Modified on Tue 02 August 2022. Posted in Blog. Tags: #cisco #network #security #netflow #elastic-stack

1. Elastic-Stack, Fleet and Elastic-Agent

With the new version (8.3) of Elastic I took the chance to re-create my Elastic-stack cluster. Especially the Fleet and Elastic-Agent with their Integrations looks interesting.

One interesting Integration for network engineers are NetFlow Records. NetFlow provides interesting information about the traffic passing through a network and requires three components to work. Those are:

Flow exporter: Cisco ASA Firewall cluster
Flow collector: Elastic Agent NetFlow Integration
Analysis app: Elastic-Stack and Kibana Dashboards

2. Configuration of Cisco ASA Firewall

The best and easiest method to setup NetFlow on a Cisco ASA Firewall is per Command Line. First, the Flow Exporter is configured, then an Access Control List, afterwards a Class-Map and a Policy-Map. The Command Lines shown below will exactly do that:


    # conf t
    (config)# flow-export destination inside [IP_ELASTIC_NETFLOW_COLLECTOR] [PORT_ELASTIC_NETFLOW_COLLECTOR]
    (config)# flow-export template timeout-rate 1
    (config)# flow-export delay flow-create 60
    (config)# access-list netflow-export extended permit ip any any
    (config)# class-map netflow-export-class
    (config-cmap)# match access-list netflow-export
    (config-cmap)# policy-map global_policy
    (config-pmap)# class netflow-export-class
    (config-pmap)# flow-export event-type all destination [IP_ELASTIC_NETFLOW_COLLECTOR]
    (config-pmap)# service-policy global_policy global
    (config)# wr mem

3. Netflow Integration in Elastic Fleet-Agent

With an installed Fleet Server, the activation of the NetFlow Integration in an Elastic-Agent is quite easy and can be performed with the Web-UI.

To check if the NetFlow Integration is working I’m doing a quick check with netstat to verify a service (in this case filebeat) is listening on port UDP/2055:


    # netstat -tulpn | grep 2055
    udp   0   0   [IP_ADDRESS]:2055   0.0.0.0:*   22385/filebeat

3. Kibana Dashboards for NetFlow

The NetFlow Integration automatically adds the Dashboards for NetFlow as assets in Kibana. After a couple of minutes the Dashboard shows the collected NetFlow data. For example here with Geo Location:

Or here the Kibana Dashboard with Conversation Partners:

Netflow Elastic-Stack: Conversation Partners