一、*功能*
接收網絡設備的netflow或sflow報文,對網絡設備的數據進行分析,從而得到協議的流量排行、下載IP排行、通信對等信息。
二、*基礎環境*
1、安裝ELK和java
RHEL server 7,ELK 6.8.21
用rpm安裝elasticsearch、logstash、kibana
下載地址:https://www.elastic.co/cn/downloads/past-releases#elasticsearch
rpm -ivh elasticserach-6.8.21.rpm
rpm -ivh logstash-6.8.21.rpm
rpm -ivh kibana-6.8.21-x86_64.rpm
安裝java 1.8.0_171或以上(安裝方法網上可找到)
2、kibana配置
編輯/etc/kibana/kibana.yml
server.port 5601
server.host: "192.168.11.105"
server.maxPayloadBytes: 8388608
elasticsearch.url: “http://192.168.11.105:9200”
i18n.locale: "zh-CN"
把kibana相關路徑的權限修改
chown -R kibana:kibana /etc/kibana
chown -R kibana:kibana /usr/share/kibana
chown kibana:kibana /etc/default/kibana
啟動kibana
systemctl enable kibana
systemctl start kibana
2、elasticsearch配置
編輯/etc/elasticsearch/elasticsearch.yml
node.name:net-pd-1
path.data:/data/elisticsearch/data
Path.logs:/data/elasticsearch/logs
bootstrap.memory_lock:true
network.host:192.168.11.105
http.port:9200
編輯/etc/elasticsearch/jvm.options,只改以下部分(大小為1/4 內存)
-Xms64g
-Xmx64g
編輯/usr/lib/systemd/system/elasticsearch.service(第一行下面添加第二行)
LimitFSIZE =infinity
LimitMEMLOCK=infinity
把elasticsearch相關路徑的權限修改
chown -R elasticsearch:elasticsearch /etc/elasticsearch
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch
chown -R elasticsearch:elasticsearch /data/elisticsearch/data
chown -R elasticsearch:elasticsearch /data/elisticsearch/logs
chown elasticsearch:elasticsearch /etc/sysconfig/elasticsearch
啟動elasticsearch
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
3、logstash配置
編輯/etc/logstash/logstash.yml,data和logs路徑是自定義
path.data:/data/logstash/data
config.reload.automatic:true
config.reload.interval:3600s
http.host: "192.168.11.105"
http.port: 9600-9700
path.logs:/data/logstash/logs
編輯/etc/logstash/jvm.options,只改以下部分(大小為1/4 內存)
-Xms64g
-Xmx64g
編輯/etc/logstash/startup.options,只改以下部分(java 路徑)
JAVACMD=/usr/bin/java
把logstash相關路徑的權限修改
chown -R logstash:logstash /etc/logstash
chown -R logstash:logstash /usr/share/logstash
chown -R logstash:logstash /data/logstash/data
chown -R logstash:logstash /data/logstash/logs
chown logstash:logstash /etc/default/logstash
啟動logstash
systemctl enable logstash
systemctl start logstash
三、*安裝過程*
1、安裝elastiflow
下載elastiflow:https://github.com/robcowart/elastiflow/releases/tag/v3.4.2 的tar.gz包
tar -zxvf v3.4.2.tar.gz
cd elastiflow-3.4.2
cp -r logstash/elastiflow /etc/logstash/
cp -r logstash.service.d /etc/systemd/system/
chown -R logstash:logstash /etc/logstash/elastiflow
2、elastiflow 配置
禁用/etc/logstash/elastiflow/conf.d/中不用的配置文件(文件名后添加.disabled)
10_input_ipfix_ipv4.logstash.conf.disabled
10_input_ipfix_ipv6.logstash.conf.disabled
10_input_netflow_ipv6.logstash.conf.disabled
10_input_sflow_jpv4.logstash.conf.disabled
10_input_sflow_ipv6.logstash.conf.disabled
20_filter_30_ipfix.logtsh.conf.disabled
20_filter_40_sflow logstash.conf.disabled
30_output_20_multi.logstash.conf.disabled
編輯/etc/systemd/system/logstash.service.d/elastiflow.conf,修改以下部分(NETFLOW的IPv6部分注釋掉,IPFIX協議和SFLOW協議全部注釋掉)
Environment= "ELASTIFLOW_GEOIP_CACHE_SIZE=12288"
Environment= "ELASTIFLOW_RESOLVE_IP2HOST=true"
Environment= "ELASTIFLOW_ES_HOST=192.168.11.105:9200"
Environment= "ELASTIFLOW_NETFLOW_IPV4_HOST=192.168.11.105"
Environment= "ELASTIFLOW_NETFLOW_IPV4_PORT=2055"
重載systemctl
systemctl daemon-reload
3、logstash 修改配置
編輯/etc/logstash/pipeline.yml (僅當logstash沒有其他業務)
#- pipeline.id:main
# path.config:/etc/logstash/conf.d/*.conf
- pipeline.id:elastiflow
path.config: “/etc/logstash/elastiflow/conf.d/*.conf"
編輯/etc/logstash/elatilow/conf.d/30_output_10_single.logstash.conf,在output的elasticsearch中修改此行
hosts => [ "${ELASTIFLOW_ES_HOST:192.168.11.105:9200}" ]
重啟logstash
systemctl restart logstash
(用netstat -ntulp驗證是否監聽udp 2055端口)
4、kibana 修改配置
將elastiflow-3.4.2/kibana/elastiflow.kibana.6.7.x.json上傳到kibana界面(管理→已保存對象→導入)
新建索引(管理→索引模式→創建索引模式) ,取名"elastiflow-*" (必須在啟動logstash之后再添加)
5、kibana儀表板
新建儀表板,添加自己慣用的圖表(以下是應用排名、客戶端流量排名、服務端流量排名、會話流量排名),同時使用篩選器可以過濾出指定ip的分析結果
6、elastiflow設置(如果discover界面中的@timestamp參數慢8小時,可按此方法改正)
編輯/etc/logstash/elastiflow/conf.d/20_filter_10_begin.logstash.conf,在filter中添加
# timezone
ruby {
code => "event.set('index_date',event.get('@timestamp).time.localtime + 8*60*60)"
}
mutate {
convert => [index_date", "string"]
gsub => ["index_date","T([\S\s]*?)Z",""]
gsub => ["index_date","-", "."]
}
編輯/etc/logstash/elatilow/conf.d/30_output_10_single.logstash.conf,在output的elasticsearch中注釋此行index => "elastiflow-3.4.2-%{index.date}"
#index => "elastiflow-3.4.2 -%{+YYY.MM.dd}"
index => "elastiflow-3.4.2-%{index.date}"
四、*網絡設備netflow配置模板*
*思科:*
int GigabitEthernet0/0
ip flow ingress
ip flow egress
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.11.105 2055
*瞻博:*
set services flow- monitoring
set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output
set forwarding-options sampling input rate 1000
set forwarding-options sampling input run-length 0
set forwarding-options sampling input max-packets-per-second 2000
set forwarding-options sampling family inet output flow-server 192.168.11.105 port 2055
set forwarding-options sampling family inet output flow-server 192.168.11.105 source-address 192.168.11.106
set forwarding-options sampling family inet output flow-server 192.168.11.105 version 5
*華為/華三:*
sampler2 mode random packet-interval 2000
ip netstream export index-switch 32(部分華為設備默認接口索引是16位,故需要此設置)
ip netstream export version 5 origin-as
ip netstream export host 192.168.11.105 2055
ip netstream export source interface GigabitEthernet0/0
interface GigabitEthernet0/0
ip netstream inbound
ip netstream outbound
ip netstream inbound sampler 2
ip netstream outbound sampler 2
五、*網絡設備sflow配置模板(僅針對不支持netflow的設備)*
1、logstash安裝sflow插件
在 https://gems.ruby-china.com/gems/logstash-codec-sflow 下載logstash-codec-sflow插件,注意和logstash的版本適配(logstash 6.8.1需要sflow 2.1.3)。
用zip打包成logstash-codec-sflow.zip,上傳到服務器的/tmp
cd /usr/share/logstash
bin/logstash-plugin install file:///tmp/logstash-codec-sflow.zip
安裝完插件再次修改權限
chown -R logstash:logstash /usr/share/logstash
2、編輯/etc/systemd/system/logstash.service.d/elastiflow.conf,把sflow取消注釋(除了ipv6部分)
Environment="ELASTIFLOW_SFLOW_IPV4_HOST=192.168.11.105"
Environment="ELASTIFLOW_SFLOW_IPV4_PORT=6343"
Environment="ELASTIFLOW_SFLOW_UDP_WORKERS=4"
Environment="ELASTIFLOW_SFLOW_UDP_QUEUE_SIZE=4096"
Environment="ELASTIFLOW_SFLOW_UDP_RCV_BUFF=33554432"
重載systemctl
systemctl daemon-reload
3、解禁/etc/logstash/elastiflow/conf.d/中sflow配置文件(文件名后刪除.disabled)
10_input_sflow_ipv4.logstash.conf
20_filter_40_sflow.logstash.conf
4、編輯/etc/logstash/elastiflow/conf.d/20_filter_40_sflow.logstash.conf (sflow的node.ipaddr默認是agent ip,要改成管理ip),注釋以下內容
#mutate {
# id => "sflow_set_node_agent_ip"
# replace => {
# "[node][ipaddr]" => "%{[agent_ip]}"
# "[node][hostname]" => "%{[agent_ip]}"
# }
#}
5、重啟logstash
systemctl restart logstash
(用netstat -ntulp驗證是否監聽udp 2055和udp 6343端口)
瞻博sflow (例如EX4200) :
set protocols sflow collector 192.168.11.105
set protocols sflow collector udp-port 6343
set protocols sflow interfaces ge-0/0/0.0
set protocols sflow polling-interval 60
set protocols sflow sample-rate 1000
set protocols sflow source-ip 192.168.11.130
注意:
EX系列的sflow 包含的接口索引是物理接口索引,即使流量是子接口產生的!
六、*設備名和接口名映射*
1、設備名
編輯/etc/hosts, elastiflow 會根據node.ipaddr來解析node.hostname。格式:
192.168.11.106 RT4
192.168.11.108 vMx-1
2、接口名
編輯/etc/logstash/elastiflow/dictionaries/ifName.yml,elastiflow 會根據node.ipaddr和ifindex來獲取ifname。格式:
"192.168.11.106::ifName.1": "Gi0/0"
"192.168.11.108::ifName.513": "ge-0/0/0"
"192.168.11.108::ifName.523": "ge-0/0/0.0"
設備名和接口名的效果圖如下:
修改hosts文件和ifName.yml文件后要重啟logstash生效