I would be *very* interested in that! Rainer
Sent from phone, thus brief. Am 11.01.2014 04:01 schrieb "Nick Syslog" <rsys...@nanoscopic.net>: > ....or maybe share/integrate it as an input module to rsyslog?! > > *salivate* > > > On Fri, Jan 10, 2014 at 6:52 PM, Xuri Nagarin <secs...@gmail.com> wrote: > > > Let me check with my co-worker who wrote a nifty netflow-to-syslog > utility > > in C. Maybe we can share it as open source. > > > > > > > > > > On Fri, Jan 10, 2014 at 1:20 PM, David Lang <da...@lang.hm> wrote: > > > > > what sort of throughput can you get from logstash getting netflow logs > > and > > > delivering them to rsyslog? > > > > > > David Lang > > > > > > On Fri, 10 Jan 2014, Mike Hoskins (michoski) wrote: > > > > > > Date: Fri, 10 Jan 2014 20:58:03 +0000 > > >> From: "Mike Hoskins (michoski)" <micho...@cisco.com> > > >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > > >> > > >> To: rsyslog-users <rsyslog@lists.adiscon.com> > > >> Subject: Re: [rsyslog] Off-Topic: rsyslog-like equivalent for NetFlow? > > >> > > >> Logstash setup itself is straightforward (their docs are great), and I > > can > > >> attach the full config referenced below + patterns file specific to > > Cisco, > > >> minus my IPs and rabbitmq passwords of course...if that's helpful. > ;-) > > >> Nothing too exotic really. > > >> > > >> Right now I've got netflow in each colo going through logstash -> > > rabbitmq > > >> <- central rabbitmq -> elasticsearch -> kibana to make infosec happy. > > The > > >> bulk of the work is on es/kibana side to make pretty dashboards people > > >> like, though they can tweak quite a bit themselves. > > >> > > >> I actually use rsyslog for an entirely different use case (high volume > > >> application logs), but was thinking the above could be > > >> modified...inserting rsyslog in the middle so you could output/archive > > to > > >> flat file as well as es. That way people who prefer traditional > methods > > >> like grep aren't left in the cold. Elasticsearch is amazing, but this > > >> would give users a choice of interface. > > >> > > >> -----Original Message----- > > >> From: Nick Syslog <rsys...@nanoscopic.net> > > >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > > >> Date: Friday, January 10, 2014 2:34 PM > > >> To: rsyslog-users <rsyslog@lists.adiscon.com> > > >> Subject: Re: [rsyslog] Off-Topic: rsyslog-like equivalent for NetFlow? > > >> > > >> I'm also interested in this solution as I'm about to implement > > something > > >>> similar in our enterprise as well... > > >>> > > >>> Either that or work on paying to develop something native to rsyslog > to > > >>> accept the traffic and redistribute it. > > >>> > > >>> > > >>> On Fri, Jan 10, 2014 at 11:51 AM, Mike Hoskins (michoski) < > > >>> micho...@cisco.com> wrote: > > >>> > > >>> Still working out all the details, but have had luck using logstash > > >>>> behind > > >>>> lb to accept netflow inpup, then filter/output as desired...even > back > > >>>> into > > >>>> rsyslog. ;-) > > >>>> > > >>>> input { > > >>>> > > >>>> # Syslog inputs > > >>>> udp { > > >>>> host => "a.b.c.d" > > >>>> port => 514 > > >>>> type => "syslog" > > >>>> } > > >>>> tcp { > > >>>> host => "a.b.c.d" > > >>>> port => 514 > > >>>> type => "syslog" > > >>>> } > > >>>> > > >>>> # Netflow input > > >>>> udp { > > >>>> host => "a.b.c.d" > > >>>> codec => netflow {} > > >>>> port => 2055 > > >>>> type => "netflow" > > >>>> } > > >>>> > > >>>> # Dummy TCP ports for load balancer probes > > >>>> tcp { > > >>>> host => "a.b.c.d" > > >>>> port => 514 > > >>>> type => "dummy" > > >>>> } > > >>>> tcp { > > >>>> host => "a.b.c.d" > > >>>> port => 2055 > > >>>> type => "dummy" > > >>>> } > > >>>> } > > >>>> > > >>>> > > >>>> Last tcp bits being a hack to keep random garbage showing up from lb > > >>>> probes (my filters drop type dummy). > > >>>> > > >>>> -----Original Message----- > > >>>> From: Robert McIntyre <rjmci...@hotmail.com> > > >>>> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > > >>>> Date: Friday, January 10, 2014 1:36 PM > > >>>> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com> > > >>>> Subject: [rsyslog] Off-Topic: rsyslog-like equivalent for NetFlow? > > >>>> > > >>>> Hello, folks! Apologies for this question; I know that it's > > off-topic, > > >>>>> but hope that it's not too far off. :) > > >>>>> > > >>>>> I have an infrastructure using rsyslog to receive, write to text > > file, > > >>>>> and forward syslog traffic. I now need to figure out a way to do > the > > >>>>> same things with NetFlow data. I'm querying the internet, but > > haven't > > >>>>> found anything as turnkey as rsyslog is for syslog. > > >>>>> > > >>>>> Any suggestions? > > >>>>> > > >>>>> Thanks! > > >>>>> Robert > > >>>>> > > >>>>> > > >>>>> _______________________________________________ > > >>>>> rsyslog mailing list > > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>>> http://www.rsyslog.com/professional-services/ > > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > >>>>> > > >>>> myriad > > >>>> > > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you > > >>>>> DON'T LIKE THAT. > > >>>>> > > >>>> > > >>>> _______________________________________________ > > >>>> rsyslog mailing list > > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>> http://www.rsyslog.com/professional-services/ > > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > >>>> DON'T LIKE THAT. > > >>>> > > >>>> _______________________________________________ > > >>> rsyslog mailing list > > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>> http://www.rsyslog.com/professional-services/ > > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > >>> DON'T LIKE THAT. > > >>> > > >> > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > >> DON'T LIKE THAT. > > >> > > >> _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.