Analyzing NetFlow v.9 of Cisco ASA using Logstash (ELK)
Perhaps many among those who have ever been puzzled by the search for the NetFlow v.9 analyzer program know that there are not so many free solutions available . Especially if it is an open source solution. In my case, I needed to receive, parse and visualize NetFlow v.9 cisco ASA 5585 traffic. For this I used ELK (Elasticsearch + Logstash + Kibana):
Here is the link to the official website .
')
1. This build was deployed on Red Hat Enterprise Linux 7 OS .
2. First, install Java , as required by the instructions on the site:
# sudo yum install java
3. Install Elasticsearch (a full-text search solution built on top of Apache Lucene, but with additional conveniences, such as easy scaling, replication, and other joys that made elasticsearch a very convenient and good solution for high-load projects with large amounts of data) :
# sudo yum install download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/rpm/elasticsearch/2.3.4/elasticsearch-2.3.4.rpm
# sudo service elasticsearch start
4. Install Logstash (for assembly, filtering and subsequent redirection to the final data store) :
# sudo yum install download.elastic.co/logstash/logstash/packages/centos/logstash-2.3.4-1.noarch.rpm
# sudo service logstash start
5. Install Kibana (allows you to take \ search for data on elasticsearch and build many beautiful graphs) :
# sudo yum install download.elastic.co/kibana/kibana/kibana-4.5.3-1.x86_64.rpm
# systemctl enable kibana.service
# sudo service kibana start
6. Now you should have access to the site at localhost : 5601 in the status tab, you can check whether all modules are connected.
7. Now we need to install the plugin logstash-codec-netflow:
# / opt / logstash / bin / logstash-plugin install logstash-codec-netflow
8. Now, after successful installation, we put on top of a new working version 2.1.1 of logstash-codec-netflow:
# / opt / logstash / bin / logstash-plugin install --version 2.1.1 logstash-codec-netflow
9. Done! After installation we can configure the config (/etc/logstash/conf.d):
# cd /etc/logstash/conf.d
# nano netflow.conf
10. From our config it follows that on cisco ASA you need to configure a reset of NetFlow v.9 to the ip address of our server that is listening on port 9996 (if you want, you can change it to your own).
Setup Example:
access-list global_mpc extended permit ip any any
flow-export destination inside YOUR IP 9996
class-map global_class
match access-list global_mpc
policy-map global_policy
class global_class
flow-export event-type all destination YOUR IP
11. So, now you can check the result of our efforts. We use the command and verify that our works were not in vain:
# / opt / logstash / bin / logstash -e 'input {udp {port => 9996 codec => netflow}} output {stdout {codec => rubydebug}}
At first, we will only see this:
This may take a couple of minutes, do not worry, the record will change and we will get the desired result.
12. Next we go localhost : 5601 we check that you have received data, we build the values ​​necessary for you in tables and graphs.
So, what I would like to say at the end ... Let's start with the fact that you most likely have to install self-written plug-ins, but this is not a simple matter (at least for me), for this you will need such a package (to mount your “gem”, “ gemspec "):
# yum install rubygem-bundler
And this package to get some samopisnye plugins from the site github .
# yum install git
In fact, I spent a lot of time searching for a solution for this issue, which prompted me to write this article (I don’t want someone to get tensed). I hope this manual was helpful. Good luck in your endeavors!
Here is the link to the official website .
')
Spoiler
This product is an open source solution, and this means that there were and will be many "bugs" with which I was fortunate enough to have encountered. Below is a working assembly.
1. This build was deployed on Red Hat Enterprise Linux 7 OS .
2. First, install Java , as required by the instructions on the site:
# sudo yum install java
3. Install Elasticsearch (a full-text search solution built on top of Apache Lucene, but with additional conveniences, such as easy scaling, replication, and other joys that made elasticsearch a very convenient and good solution for high-load projects with large amounts of data) :
# sudo yum install download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/rpm/elasticsearch/2.3.4/elasticsearch-2.3.4.rpm
# sudo service elasticsearch start
4. Install Logstash (for assembly, filtering and subsequent redirection to the final data store) :
# sudo yum install download.elastic.co/logstash/logstash/packages/centos/logstash-2.3.4-1.noarch.rpm
# sudo service logstash start
5. Install Kibana (allows you to take \ search for data on elasticsearch and build many beautiful graphs) :
# sudo yum install download.elastic.co/kibana/kibana/kibana-4.5.3-1.x86_64.rpm
# systemctl enable kibana.service
# sudo service kibana start
6. Now you should have access to the site at localhost : 5601 in the status tab, you can check whether all modules are connected.
7. Now we need to install the plugin logstash-codec-netflow:
# / opt / logstash / bin / logstash-plugin install logstash-codec-netflow
8. Now, after successful installation, we put on top of a new working version 2.1.1 of logstash-codec-netflow:
# / opt / logstash / bin / logstash-plugin install --version 2.1.1 logstash-codec-netflow
9. Done! After installation we can configure the config (/etc/logstash/conf.d):
# cd /etc/logstash/conf.d
# nano netflow.conf
input { udp { port => 9996 type => "netflow" codec => netflow { versions => [5,9,10] } } } output { if [type] == "netflow" { elasticsearch { hosts => localhost index => "netflow-%{+YYYY.MM.dd}" } } } 10. From our config it follows that on cisco ASA you need to configure a reset of NetFlow v.9 to the ip address of our server that is listening on port 9996 (if you want, you can change it to your own).
Setup Example:
access-list global_mpc extended permit ip any any
flow-export destination inside YOUR IP 9996
class-map global_class
match access-list global_mpc
policy-map global_policy
class global_class
flow-export event-type all destination YOUR IP
11. So, now you can check the result of our efforts. We use the command and verify that our works were not in vain:
# / opt / logstash / bin / logstash -e 'input {udp {port => 9996 codec => netflow}} output {stdout {codec => rubydebug}}
At first, we will only see this:
:message=>"No matching template for flow id 265", :level=>:warn} :message=>"No matching template for flow id 263", :level=>:warn} :message=>"No matching template for flow id 256", :level=>:warn} :message=>"No matching template for flow id 265", :level=>:warn} :message=>"No matching template for flow id 263", :level=>:warn} :message=>"No matching template for flow id 260", :level=>:warn} This may take a couple of minutes, do not worry, the record will change and we will get the desired result.
12. Next we go localhost : 5601 we check that you have received data, we build the values ​​necessary for you in tables and graphs.
PS
So, what I would like to say at the end ... Let's start with the fact that you most likely have to install self-written plug-ins, but this is not a simple matter (at least for me), for this you will need such a package (to mount your “gem”, “ gemspec "):
# yum install rubygem-bundler
And this package to get some samopisnye plugins from the site github .
# yum install git
In fact, I spent a lot of time searching for a solution for this issue, which prompted me to write this article (I don’t want someone to get tensed). I hope this manual was helpful. Good luck in your endeavors!
Source: https://habr.com/ru/post/307528/
All Articles