Skip to content

Configuring IPFIX on ELK

Introduction

IPFIX (Internet Protocol Flow Information Export) is a standard for exporting network flow information, which allows you to monitor and analyze traffic in real time. This guide is aimed at configuring IPFIX in the ELK stack (Elasticsearch, Logstash, Kibana). Before you begin, make sure you have the following prerequisites:

  • ELK Stack Installation: See the "Getting Started" guide to install ELK.
  • Fleet Access: Make sure Fleet is configured in your ELK environment.

1. Accessing the Fleet Sub-tab from Management

What are Fleet Server and Fleet Agent?

  • Fleet Server: A component that manages the configuration and communication between agents and the ELK server. It allows centralized agent management.
  • Fleet Agent: A tool that collects data from systems and sends it to the ELK server, facilitating data analysis and monitoring.

More Information

For more information, access the official documentation on Fleet server: Elastic Documentation - Fleet

2. Modifying the Fleet Policy

What are Fleet Server Policies?

Fleet Server policies define how agents behave, which integrations are applied, and what data should be collected. These policies are essential to customize data collection according to the needs of your environment.

More Information

For more information, access the official documentation on fleet policies: Elastic Documentation - Policies

3. Accessing the Fleet Server Policy

  1. In the Agent Policy column, click on the policy called Fleet Server Policy.
  2. On this tab, you will see a list of integrations available for the agent.

What are Integrations?

Integrations are packages that define how to collect data from different sources. They facilitate agent configuration, allowing you to add resources and functionality as needed.

More Information

For more information, access the official documentation on integrations: Elastic Documentation - Integrations

4. Adding the NetFlow Integration

  1. Click on Add Integration and search for NetFlow.
  2. Select the NetFlow Records option.

Integration Summary

After selecting the integration, a short summary will be displayed explaining what this integration does. Click on Add NetFlow Records to proceed.

5. Integration Configuration

On the configuration tab, you will see the following options:

  • Listening IP: The IP address where the agent will listen for IPFIX packets.
  • Reception Portal: The portal on which the data will be received.

Note

You do not need to modify these settings, as they are defined to work with the default configuration. For more information, access the official documentation: Elastic Documentation - NetFlow Integrations

6. Finalizing the Configuration

  1. Click Save and Continue.
  2. Then click Save and Deploy Changes to apply the changes.