IPFIX in Elastic

Steve Corp

31 May 2019

All, Open-Source, Elastic

Want to use the power of the elastic stack to analyse Netflow and IPFIX? Here’s how to get started.

Create a logstash configuration file in /etc/logstash/conf.d/

# IPFIX -> Logstash -> Elasticsearch pipeline.
input {
  udp {
    port  => 2055
    codec => netflow
  }
}
output {
  elasticsearch {
    hosts => ["http://10.9.100.36:9200"]
    index => "ipfix-%
  
}

You may need to restart logstash. Your elastic stack will now be listening for Netflow and IPFIX records on port 2055, and post the data to an elastic host index ipfix-2019.05.31 for example.

For testing, we used an IOS-XE router:

flow exporter ELASTIC
 destination 10.9.100.36
 transport udp 2055
 export-protocol ipfix
!
!
flow monitor DEMO-MON
 exporter ELASTIC
 record netflow ipv4 original-input
!
interface GigabitEthernet4
 ip flow monitor DEMO-MON input

And that’s it! Now enjoy creating graphs and charts of your network.