Use a Fleet agent to collect NetFlow log data - Elasticsearch

NetFlow is a network traffic analysis technology that can be used to monitor, analyze, and diagnose network traffic. You can use NetFlow to monitor network traffic in real time and analyze the network traffic, which can help improve network performance and ensure network security. This topic describes how to use the Fleet server provided by Kibana to manage NetFlow log data collected by a Fleet agent and transfer the collected data to Kibana for analysis.

Terms

Term	Description
Fleet	Fleet is a powerful solution provided by Elasticsearch to manage Fleet agents in a centralized manner.
Fleet agent	A Fleet agent is a lightweight data collection agent that is used to collect data from a source. A Fleet agent can run on different types of operating systems and collect multiple types of data.
Fleet server	The Fleet server is used to transfer data that is collected by a Fleet agent from a source to Elasticsearch.

Prepare environments

Create an Alibaba Cloud Elasticsearch cluster. For more information, see Create an Alibaba Cloud Elasticsearch cluster. In this example, an Alibaba Cloud Elasticsearch V8.5 cluster is created.
Create an Elastic Compute Service (ECS) instance in the same virtual private cloud (VPC) as the Elasticsearch cluster. For more information, see Create an instance by using the wizard.
Note
The ECS instance is used as the source server. A Fleet agent collects data from the ECS instance.

Create an agent policy and add integrations

Step 1: Create an agent policy

Log on to the Kibana console of the Elasticsearch cluster. For more information, see Log on to the Kibana console.
Click the icon in the upper-left corner. In the left-side navigation pane, choose Management > Fleet.
On the Fleet page, click the Agent policies tab.
Click Create agent policy. In the Create agent policy panel, configure the agent policy.
1. Enter the name netflow-log in the Name field.
2. Clear Collect system logs and metrics.
3. Click Advanced options. In the Agent monitoring section, clear Collect agent logs and Collect agent metrics.
  Note
  In this example, only NetFlow Records logs need to be collected. Therefore, Collect system logs and metrics, Collect agent logs, and Collect agent metrics do not need to be selected.
Click Create agent policy.

Step 2: Add a Fleet server integration

On the Agent policies tab of the Fleet page, find the netflow-log agent policy and click its name.
On the Integrations tab of the page that appears, click Add integration.
On the Browse integrations tab of the Integrations page, enter Fleet Server in the search box. Then, click the Fleet Server card that is displayed.
Install the Fleet server integration.
1. On the Fleet Server page, click the Settings tab.
2. Click Install Fleet Server assets. In the Install Fleet Server message, click Install Fleet Server.
  Note
  After the integration is installed, the version of the integration is displayed on the Settings tab of the Fleet Server page.
In the upper-right corner of the Fleet Server page, click Add Fleet Server.
On the Add Fleet Server integration page, enter a name for the integration in the Integration name field in the Configure integration section and select netflow-log from the Agent policy drop-down list in the Where to add this integration section.
In the lower-right corner of the Add Fleet Server integration page, click Save and continue. In the Fleet Server integration added message, click Add Elastic Agent later.

Step 3: Add a NetFlow integration

On the Integrations tab of the agent policy netflow-log, click Add integration.
On the Browse integrations tab of the Integrations page, enter NetFlow Records in the search box. Then, click the NetFlow Records card that is displayed.
Install the NetFlow Records integration.
1. On the NetFlow Records page, click the Settings tab.
2. Click Install NetFlow Records assets. In the Install NetFlow Records message, click Install NetFlow Records.
  Note
  After the integration is installed, the version of the integration is displayed on the Settings tab of the NetFlow Records page.
In the upper-right corner of the NetFlow Records page, click Add NetFlow Records.
On the Add NetFlow Records integration page, configure the integration.
1. In the Configure integration section, enter netflow-1 in the Integration name field.
2. Click Change defaults next to Collect NetFlow logs. Enter 0.0.0.0 in the UDP host to listen on field and retain the default value 2055 in the UDP port to listen on field.
3. On the Existing hosts tab of the Where to add this integration section, select netflow-log from the Agent policy drop-down list.
In the lower-right corner of the Add NetFlow Records integration page, click Save and continue. In the NetFlow Records integration added message, click Add Elastic Agent later.

Add a Fleet agent and start NetFlow

Step 1: Configure a host for the Fleet server

Log on to the Kibana console of the Elasticsearch cluster. For more information, see Log on to the Kibana console.
Click the icon in the upper-left corner. In the left-side navigation pane, choose Management > Fleet.
On the Fleet page, click the Settings tab. On the Settings tab, configure parameters for Fleet.
1. In the Fleet server hosts section, click Edit hosts.
2. In the Fleet Server hosts panel, enter the URL of the source from which you want to collect data in the Specify host URL field. The URL must be in the https://<Private IP address of the source>:<Port number> format, such as https://172.16.*.***:8220. Then, click Save and apply settings. In the Save and deploy changes message, click Save and deploy.
  Note
  In this example, a URL that contains the primary private IP address of the ECS instance is entered. For more information about the configurations, see Fleet Server hosts.
3. In the Outputs section of the Fleet page, click the icon in the Actions column.
4. In the Edit output panel, enter the URL of the Elasticsearch cluster in the Hosts field. The URL must be in the http://<Internal endpoint of the Elasticsearch cluster>:<Port number> format, such as http://es-cn-uqm3auln80001****.elasticsearch.aliyuncs.com:9200.
5. Click Save and apply settings. In the Save and deploy changes message, click Save and deploy.

Step 2: Add a Fleet agent

Add a Fleet agent to the Fleet server.

Note

If you want to collect NetFlow traffic data from multiple source servers, you can repeat the following steps. After you add multiple Fleet agents to the Fleet server, each Fleet agent collects data from the related source server. The collected data is managed by the Fleet server in a centralized manner.

Click the icon in the upper-left corner. In the left-side navigation pane, choose Management > Fleet.
On the Fleet page, click the Agent policies tab.
On the Agent policies tab, find the agent policy netflow-log, click the icon in the Actions column, and then select Add agent.
On the Enroll in Fleet tab of the Add agent panel, click Add Fleet Server. In the Add a Fleet Server panel, click Advanced. In the Select a policy for Fleet Server section, retain the default value netflow-log.
In the Choose a deployment mode for security section, retain the default value Quick start.
In the Add your Fleet Server host section, click Add host.
In the Generate a service token section, click Generate service token.
In the Install Fleet Server to a centralized host section, copy the code that is automatically generated and run the code in the ECS instance.
If Successfully is displayed after you run the code, the Fleet agent is installed on the ECS instance and is started.

Step 3: Configure the NetFlow service

In this example, softflowd is used to generate NetFlow logs. You must run the following code to start softflowd in the ECS instance.

Download the source code package of softflowd.

wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/softflowd/softflowd-0.9.9.tar.gz

Install the ibpcap-devel environment.
```
yum install libpcap-devel
```

Compile code and install softflowd.

tar -xvf softflowd-0.9.9.tar.gz
cd softflowd-0.9.9
./configure 
make
make install

Run softflowd.

nohup softflowd -v 9 -D -i eth0 -t maxlife=1 -n localhost:2055 >/dev/null 2>&1 &

View the collected data

You can use one of the following methods to view the collected NetFlow log data:

Method 1: View the collected NetFlow log data on the View Dashboards page
1. Click the icon in the upper-left corner. In the left-side navigation pane, choose Management > Fleet.
2. On the Fleet page, click the Data streams tab. On the Data streams tab, you can view the collected NetFlow log data in the dataset list.
3. Find the desired dataset, click the icon in the Actions column, and then select View Dashboards. On the page that appears, you can select the item whose information you want to view. For example, you can select [Logs Netflow] Overview and view information about it.
Method 2: View the collected NetFlow log data in the destination index on the Discover page
Click the icon in the upper-left corner. In the left-side navigation pane, choose Analytics > Discover. On the Discover page, view the data in the destination index.
Method 3: Query the collected NetFlow log data by running a command on the Console tab
1. Click the icon in the upper-left corner. In the left-side navigation pane, choose Management > Dev Tools.
2. On the Console tab, run the following command to query the collected NetFlow log data:
```
GET logs-netflow.log-default/_search
```