Cisco netflow -> SO 2.4 - target node type and ILM?

[ejgh-oe]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500G

Storage for /nsm

500G

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hi,
For getting a view on netflow data originating from ISP-uplink as well as core routers I've been using NFSen for quite some time. With S.O. running in a distributed environment and being capable of importing netflow data I'm thinking about using S.O as a netflow collector too. Just to give you an idea we're taking about several millions of netflow records per hour coming from one core router alone. Talking about number of flows/s we're between 30k and 80k flows/sec for all netflow sources altogether.

Thinking about a production use I've got the following questions:

• Where should netflow traffic be directed to? To the manager node? To a search node? To a sensor? Reason I'm asking is because the manager node is a VM and directing millions of netflow records to it will quickly bring down the manager node (sensor- and search-nodes are hardware based)

• With rather low amount of data coming from suricata etc (currently ILM wise I'm running with delete phase set to 120 days) and considering rather high amounts of traffic coming from netflow is there any way to have separate ILM policies for say "normal" S.O. traffic and netflow data? If yes, how could this be done.

Thanks much in advance for your help.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

You can send the Netflow data to any computer in your environment that's running the Elastic Agent and is reporting to Security Onion. Simply add the Netflow integration to that agent's policy and open up the appropriate firewall hole.

This Youtube video walks through the process for the PFSense integration, but the steps are largely similar: https://www.youtube.com/watch?v=aoH8qZwAxek

You can set the ILM policies through the Administration --> Configuration interface. Click on Options at the top, toggle on the Advanced settings, and then go to this location in the tree:

elasticsearch > index_settings > so-logs-netflow_x_log > policy > phases

You can set the values there for how long to retain the data before shifting it from hot to warm, and from warm to deletion.

[ejgh-oe]

Awesome - this was exactly what I was looking for. Your tips should definitely get me going.
Thanks alot.