SlideShare a Scribd company logo

DIY Netflow Data Analytic with ELK Stack by CL Lee

MyNOG
MyNOG

DIY Netflow Data Analytic with ELK Stack

Education
1 of 37
Download to read offline
NetFlow Data Analytics with ELK Stack
•  Founded in 2003 •  Over 60 employees •  Managing over 5000 physical servers •  Total 250 racks at 5 data centers across MY, SG and HK •  Contributing 10% of Malaysia’s domestic traffic •  Approximately 6.8 Gbit/s total traffic sending to the Internet at peak •  Up to 1.2TB DDoS mitigation capacity About IP ServerOne
Why do we need to use NetFlow?
Who contributed to this spike? Most companies have their MRTG configured But MRTG cannot tell you which IP is receiving a spike traffic (such as the above graph)
You probably may need to know where the majority of your traffic comes from, right? Who uses the most bandwidth here?
A NetFlow graph would be able to breakdown the usage for your outbound / inbound traffic
MRTG GRAPH NETFLOW GRAPH Replacing your MRTG with a NetFlow graph
Why do we choose ElasticSearch, Logstash, And Kibana (ELK)?
•  Before I get to know ELK stack, I was using MySQL to store all the NetFlow information. •  I wrote a PHP application that converts NetFlow information into a MySQL statement. •  That was too slow on the conversion performance and the data retrieval was a complete nightmare. •  There is no function / feature to get traffic statistic in the histogram form. Why ELK? It’s just too difficult to run this in MySQL
•  Speed is the primary reason that I have chosen ELK •  It has a lot of codec, which I can just plug and play •  COST; it runs on commodity hardware and it works just fine with Nearline SAS Hard drives •  Open Source •  Support Clustering •  It has SQL like syntax, so data searching is much more easier •  It has a very high performance; we had a working environment of 100Kflows per second Why ELK?
Alternative to ELK •  We did consider to use InfluxDB The OpenSource edition doesn’t support clustering. •  OpenTSDB The setup is very time-consuming. •  MongoDB. This is a great DB; however, we still prefer to use ElasticSearch.
How to record the NetFlow Data?
The NetFlow is being collected with the following setup NetFlow Source Logstash Elas6cSearch Elas6cSearch API + Custom App
Adding BGP table information into the ElasticSearch NetFlow Source Elas6cSearch BGP routing table entry for 103.3.174.0/24, version 737937 Paths: (34 available, best #21, table default) Not advertised to any peer Refresh Epoch 1 3356 3491 45352 4.69.184.193 from 4.69.184.193 (4.69.184.193) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:666 3356:2012 3491:400 3491:413 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 3549 3356 2914 45352 208.51.134.254 from 208.51.134.254 (67.16.168.191) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:3 3356:86 3356:575 3356:666 3356:2011 3356:11940 3549:2581 3549:30840 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 20912 1267 45352 212.66.96.126 from 212.66.96.126 (212.66.96.126) Origin incomplete, localpref 100, valid, external Community: 1267:167 1267:200 20912:65001 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 route-views> BGP Rou6ng Table PHP + Golang Logstash ExaBGP
We use NetFlow v9 in our projects Here is the field that we keep
The hardware specification used for keeping our NetFlow The software used to run our NetFlow CentOS 7 64bit Operating System Java Hardware vs Software 1 x Intel Xeon 8 cores 2.1Ghz Processor 32GB RAM 4 x 2TB HDD 1 x Gigabit Network Card ElasticSearch, Logstash PHP MySQL
How to put up the software? CentOS Installation You can follow the way you do normally; but please remember to keep most of the free space into /var.
ElasticSearch Installation ElasticSearch is a search engine based on Lucene. It provides a distributed architecture, support multi-tenancy and full-text search engine with an HTTP web interface.
Start ElasticSearch [root@elk-stack ~]# systemctl daemon-reload [root@elk-stack ~]# systemctl start elasticsearch [root@elk-stack ~]# systemctl enable elasticsearch [root@elk-stack ~]# curl -XGET ‘http://localhost:9200/_cat/indices?v’ health status index uuid pri rep docs.count docs.deleted store.size pri.store.size yellow open stat-20180603 byH89tWFQSS_R9kS_QPGPw 5 1 54822544 0 6.9gb 6.9gb yellow open stat-20180616 qZYSua4CQDa18GGMc8uiHQ 5 1 51830338 0 6.6gb 6.6gb yellow open stat-20180604 PYdGUxX7SZ2aaFRV-ng4NQ 5 1 57828976 0 7.3gb 7.3gb yellow open stat-20180630 FwrBuf6FQ-6SlyZhknATLQ 5 1 50014372 0 6.4gb 6.4gb yellow open stat-20180618 _Nloca3jROCQ2vChWmDoGw 5 1 54976264 0 7gb 7gb yellow open stat-20180526 ObGvcFbfTDuuk_MtZNlCQA 5 1 51836183 0 6.6gb 6.6gb yellow open stat-20180615 t_CxQoauRUiVRTaJRPz2eQ 5 1 55490519 0 7gb 7gb To check what are the indexes available in the ElasticSearch:
Logstash Installation Logstash is one of the softwares inside the ELK stack. The main objective for this software is to convert NetFlow data into ElasticSearch acceptable format.
Configure Logstash to decode NetFlow LS_HOME/bin/logstash-plugin install logstash-codec-sflow LS_HOME/bin/logstash-plugin update logstash-codec-netflow LS_HOME/bin/logstash-plugin update logstash-input-udp LS_HOME/bin/logstash-plugin update logstash-filter-dns input { udp { port => 2055 codec => netflow } } output { elasticsearch { protocol => "http" host => "127.0.0.1" } stdout { codec => rubydebug } } Create a netflow.conf /etc/logstash/
Kibana Installation Kibana is one of the GUI tools that helps retrieve data from ElasticSearch. It can also come with the graphing capability to manipulate the Doc in ElasticSearch to be something more meaningful to system engineers.
Kibana Configuration vi /etc/kibana/kibana.yml Kibana does not listen to any IP besides 127.0.0.1; you will need to update the configuration file to make the Kibana accessible from outside the host.
A quick look on the data stored in ElasticSearch If the data is successfully collected by Logstash, this is what will be shown in Kibana:
How to query ElasticSearch for top 10 IP talkers?
ElasticSearch has it’s own Query Language called Query DSL Here is a sample query command for the IP range 103.64.13.0/24 at the specific time period. (formatted in epoch milliseconds)
Kibana is easy to use… However, it’s still complicated for my NOC team We make use of ElasticSearch Client API for PHP, to make a query interface so that they can do the job quicker and simplify the learning curve.
To integrate with PHP, we use Elasticsearch-PHP It works quite well with our PHP environment
A Query screen for the NOC engineer Here is the result of what we have developed, which makes our engineers’ life easier
Samples on how we use the NetFlow Data
Outgoing traffic by ASN and it’s AS-PATH This allows us to know which ASN the traffic flows; and helps us optimize the planning and traffic engineering according to AS Number.
Incoming traffic by Source ASN This is also helpful when it comes to traffic engineering
Identify customer traffic profile Identify the estimated bandwidth cost for each customer. See if the customer traffic utilization is more towards international or local bandwidth.
IP Conversation History It’s something really useful for troubleshooting a network related issue, such as spamming activity, NTP attack within the network, and ability to identify the compromised host quickly.
Conclusion ElasticSearch, Logstash and Kibana is a powerful tool to keep and analyze the NetFlow traffic. In addition, it’s not too difficult to deploy and run.
ANY QUESTIONS?
ThanksOUR INFRASTRUCTURE; YOUR GROWTH E-mail: cllee@ip.my Mobile: +6 012-331 9286 03 2026 1688 www.ipserverone.com ISO Certificate No: IS 651738

Recommended

[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
OpenStack Korea Community
 
OpenTelemetry For Developers
OpenTelemetry For DevelopersOpenTelemetry For Developers
OpenTelemetry For Developers
Kevin Brockhoff
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
Kevin Brockhoff
 
Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For Workflow
Timothy Spann
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
Weaveworks
 
Confluent Operator as Cloud-Native Kafka Operator for Kubernetes
Confluent Operator as Cloud-Native Kafka Operator for KubernetesConfluent Operator as Cloud-Native Kafka Operator for Kubernetes
Confluent Operator as Cloud-Native Kafka Operator for Kubernetes
Kai Wähner
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedIn
Guozhang Wang
 
Observability, Distributed Tracing, and Open Source: The Missing Primer
Observability, Distributed Tracing, and Open Source: The Missing PrimerObservability, Distributed Tracing, and Open Source: The Missing Primer
Observability, Distributed Tracing, and Open Source: The Missing Primer
VMware Tanzu
 

Recommended

[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
OpenStack Korea Community
 
OpenTelemetry For Developers
OpenTelemetry For DevelopersOpenTelemetry For Developers
OpenTelemetry For Developers
Kevin Brockhoff
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
Kevin Brockhoff
 
Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For Workflow
Timothy Spann
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
Weaveworks
 
Confluent Operator as Cloud-Native Kafka Operator for Kubernetes
Confluent Operator as Cloud-Native Kafka Operator for KubernetesConfluent Operator as Cloud-Native Kafka Operator for Kubernetes
Confluent Operator as Cloud-Native Kafka Operator for Kubernetes
Kai Wähner
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedIn
Guozhang Wang
 
Observability, Distributed Tracing, and Open Source: The Missing Primer
Observability, Distributed Tracing, and Open Source: The Missing PrimerObservability, Distributed Tracing, and Open Source: The Missing Primer
Observability, Distributed Tracing, and Open Source: The Missing Primer
VMware Tanzu
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
Araf Karsh Hamid
 
OpenTelemetry For Operators
OpenTelemetry For OperatorsOpenTelemetry For Operators
OpenTelemetry For Operators
Kevin Brockhoff
 
Getting Started with Infrastructure as Code
Getting Started with Infrastructure as CodeGetting Started with Infrastructure as Code
Getting Started with Infrastructure as Code
WinWire Technologies Inc
 
MySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & GrafanaMySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & Grafana
YoungHeon (Roy) Kim
 
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
DevOps.com
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
DimitrisFinas1
 
Apache Superset - open source data exploration and visualization (Conclusion ...
Apache Superset - open source data exploration and visualization (Conclusion ...Apache Superset - open source data exploration and visualization (Conclusion ...
Apache Superset - open source data exploration and visualization (Conclusion ...
Lucas Jellema
 
Workflow Automation with Logic Apps
Workflow Automation with Logic AppsWorkflow Automation with Logic Apps
Workflow Automation with Logic Apps
BizTalk360
 
Dataflow with Apache NiFi
Dataflow with Apache NiFiDataflow with Apache NiFi
Dataflow with Apache NiFi
DataWorks Summit/Hadoop Summit
 
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and LinkerdService Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Kai Wähner
 
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache KafkaReal-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Kai Wähner
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
Julian Mazzitelli
 
Observability For Modern Applications
Observability For Modern ApplicationsObservability For Modern Applications
Observability For Modern Applications
Amazon Web Services
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using Kafka
Knoldus Inc.
 
Apache Airflow in Production
Apache Airflow in ProductionApache Airflow in Production
Apache Airflow in Production
Robert Sanders
 
Combining Logs, Metrics, and Traces for Unified Observability
Combining Logs, Metrics, and Traces for Unified ObservabilityCombining Logs, Metrics, and Traces for Unified Observability
Combining Logs, Metrics, and Traces for Unified Observability
Elasticsearch
 
MicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMeshMicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMesh
Akash Agrawal
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event Collector
Splunk
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
Joel W. King
 
Api observability
Api observability Api observability
Api observability
Red Hat
 
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, BlazegraphDatabase Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
✔ Eric David Benari, PMP
 
Openconfig
OpenconfigOpenconfig
Openconfig
APNIC
 

More Related Content

What's hot

How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
DevOps.com
 
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and LinkerdService Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Kai Wähner
 
Observability For Modern Applications
Observability For Modern ApplicationsObservability For Modern Applications
Observability For Modern Applications
Amazon Web Services
 

What's hot (20)

Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
 
OpenTelemetry For Operators
OpenTelemetry For OperatorsOpenTelemetry For Operators
OpenTelemetry For Operators
 
Getting Started with Infrastructure as Code
Getting Started with Infrastructure as CodeGetting Started with Infrastructure as Code
Getting Started with Infrastructure as Code
 
MySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & GrafanaMySQL Monitoring using Prometheus & Grafana
MySQL Monitoring using Prometheus & Grafana
 
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
 
Apache Superset - open source data exploration and visualization (Conclusion ...
Apache Superset - open source data exploration and visualization (Conclusion ...Apache Superset - open source data exploration and visualization (Conclusion ...
Apache Superset - open source data exploration and visualization (Conclusion ...
 
Workflow Automation with Logic Apps
Workflow Automation with Logic AppsWorkflow Automation with Logic Apps
Workflow Automation with Logic Apps
 
Dataflow with Apache NiFi
Dataflow with Apache NiFiDataflow with Apache NiFi
Dataflow with Apache NiFi
 
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and LinkerdService Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and Linkerd
 
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache KafkaReal-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
 
Observability For Modern Applications
Observability For Modern ApplicationsObservability For Modern Applications
Observability For Modern Applications
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using Kafka
 
Apache Airflow in Production
Apache Airflow in ProductionApache Airflow in Production
Apache Airflow in Production
 
Combining Logs, Metrics, and Traces for Unified Observability
Combining Logs, Metrics, and Traces for Unified ObservabilityCombining Logs, Metrics, and Traces for Unified Observability
Combining Logs, Metrics, and Traces for Unified Observability
 
MicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMeshMicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMesh
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event Collector
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
 
Api observability
Api observability Api observability
Api observability
 

Similar to DIY Netflow Data Analytic with ELK Stack by CL Lee

Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...
Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...
Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...
confluent
 
Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC Project
Saltlux Inc.
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA
 
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd RamlyIPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
MyNOG
 

Similar to DIY Netflow Data Analytic with ELK Stack by CL Lee (20)

Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, BlazegraphDatabase Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
 
Openconfig
OpenconfigOpenconfig
Openconfig
 
Detecting Spoofing at IXPs
Detecting Spoofing at IXPsDetecting Spoofing at IXPs
Detecting Spoofing at IXPs
 
Detecting spoofing at IxP's
Detecting spoofing at IxP'sDetecting spoofing at IxP's
Detecting spoofing at IxP's
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...
Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...
Five Fabulous Sinks for Your Kafka Data. #3 will surprise you! (Rachel Pedres...
 
MySQL Manchester TT - 5.7 Whats new
MySQL Manchester TT - 5.7 Whats newMySQL Manchester TT - 5.7 Whats new
MySQL Manchester TT - 5.7 Whats new
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetry
 
Vectorized Deep Learning Acceleration from Preprocessing to Inference and Tra...
Vectorized Deep Learning Acceleration from Preprocessing to Inference and Tra...Vectorized Deep Learning Acceleration from Preprocessing to Inference and Tra...
Vectorized Deep Learning Acceleration from Preprocessing to Inference and Tra...
 
Using a Fast Operational Database to Build Real-time Streaming Aggregations
Using a Fast Operational Database to Build Real-time Streaming AggregationsUsing a Fast Operational Database to Build Real-time Streaming Aggregations
Using a Fast Operational Database to Build Real-time Streaming Aggregations
 
Rakuten Technology Conference 2017 A Distributed SQL Database For Data Analy...
Rakuten Technology Conference 2017 A Distributed SQL Database For Data Analy...Rakuten Technology Conference 2017 A Distributed SQL Database For Data Analy...
Rakuten Technology Conference 2017 A Distributed SQL Database For Data Analy...
 
Otimizando servidores web
Otimizando servidores webOtimizando servidores web
Otimizando servidores web
 
Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC Project
 
Proving out flash storage array performance using swingbench and slob
Proving out flash storage array performance using swingbench and slobProving out flash storage array performance using swingbench and slob
Proving out flash storage array performance using swingbench and slob
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Headless approach for offloading heavy tasks in Magento
Headless approach for offloading heavy tasks in MagentoHeadless approach for offloading heavy tasks in Magento
Headless approach for offloading heavy tasks in Magento
 
Apache Flink: Past, Present and Future
Apache Flink: Past, Present and FutureApache Flink: Past, Present and Future
Apache Flink: Past, Present and Future
 
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd RamlyIPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
IPLC Analytic Dashboard - Mohd Rizal bin Mohd Ramly
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 

More from MyNOG

MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
MyNOG
 

More from MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 

Recently uploaded

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Recently uploaded (20)

Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 

DIY Netflow Data Analytic with ELK Stack by CL Lee

  • 1. NetFlow Data Analytics with ELK Stack
  • 2. •  Founded in 2003 •  Over 60 employees •  Managing over 5000 physical servers •  Total 250 racks at 5 data centers across MY, SG and HK •  Contributing 10% of Malaysia’s domestic traffic •  Approximately 6.8 Gbit/s total traffic sending to the Internet at peak •  Up to 1.2TB DDoS mitigation capacity About IP ServerOne
  • 3. Why do we need to use NetFlow?
  • 4. Who contributed to this spike? Most companies have their MRTG configured But MRTG cannot tell you which IP is receiving a spike traffic (such as the above graph)
  • 5. You probably may need to know where the majority of your traffic comes from, right? Who uses the most bandwidth here?
  • 6. A NetFlow graph would be able to breakdown the usage for your outbound / inbound traffic
  • 8. Why do we choose ElasticSearch, Logstash, And Kibana (ELK)?
  • 9. •  Before I get to know ELK stack, I was using MySQL to store all the NetFlow information. •  I wrote a PHP application that converts NetFlow information into a MySQL statement. •  That was too slow on the conversion performance and the data retrieval was a complete nightmare. •  There is no function / feature to get traffic statistic in the histogram form. Why ELK? It’s just too difficult to run this in MySQL
  • 10. •  Speed is the primary reason that I have chosen ELK •  It has a lot of codec, which I can just plug and play •  COST; it runs on commodity hardware and it works just fine with Nearline SAS Hard drives •  Open Source •  Support Clustering •  It has SQL like syntax, so data searching is much more easier •  It has a very high performance; we had a working environment of 100Kflows per second Why ELK?
  • 11. Alternative to ELK •  We did consider to use InfluxDB The OpenSource edition doesn’t support clustering. •  OpenTSDB The setup is very time-consuming. •  MongoDB. This is a great DB; however, we still prefer to use ElasticSearch.
  • 12. How to record the NetFlow Data?
  • 13. The NetFlow is being collected with the following setup NetFlow Source Logstash Elas6cSearch Elas6cSearch API + Custom App
  • 14. Adding BGP table information into the ElasticSearch NetFlow Source Elas6cSearch BGP routing table entry for 103.3.174.0/24, version 737937 Paths: (34 available, best #21, table default) Not advertised to any peer Refresh Epoch 1 3356 3491 45352 4.69.184.193 from 4.69.184.193 (4.69.184.193) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:666 3356:2012 3491:400 3491:413 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 3549 3356 2914 45352 208.51.134.254 from 208.51.134.254 (67.16.168.191) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:3 3356:86 3356:575 3356:666 3356:2011 3356:11940 3549:2581 3549:30840 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 20912 1267 45352 212.66.96.126 from 212.66.96.126 (212.66.96.126) Origin incomplete, localpref 100, valid, external Community: 1267:167 1267:200 20912:65001 rx pathid: 0, tx pathid: 0 Refresh Epoch 1 route-views> BGP Rou6ng Table PHP + Golang Logstash ExaBGP
  • 15. We use NetFlow v9 in our projects Here is the field that we keep
  • 16. The hardware specification used for keeping our NetFlow The software used to run our NetFlow CentOS 7 64bit Operating System Java Hardware vs Software 1 x Intel Xeon 8 cores 2.1Ghz Processor 32GB RAM 4 x 2TB HDD 1 x Gigabit Network Card ElasticSearch, Logstash PHP MySQL
  • 17. How to put up the software? CentOS Installation You can follow the way you do normally; but please remember to keep most of the free space into /var.
  • 18. ElasticSearch Installation ElasticSearch is a search engine based on Lucene. It provides a distributed architecture, support multi-tenancy and full-text search engine with an HTTP web interface.
  • 19. Start ElasticSearch [root@elk-stack ~]# systemctl daemon-reload [root@elk-stack ~]# systemctl start elasticsearch [root@elk-stack ~]# systemctl enable elasticsearch [root@elk-stack ~]# curl -XGET ‘http://localhost:9200/_cat/indices?v’ health status index uuid pri rep docs.count docs.deleted store.size pri.store.size yellow open stat-20180603 byH89tWFQSS_R9kS_QPGPw 5 1 54822544 0 6.9gb 6.9gb yellow open stat-20180616 qZYSua4CQDa18GGMc8uiHQ 5 1 51830338 0 6.6gb 6.6gb yellow open stat-20180604 PYdGUxX7SZ2aaFRV-ng4NQ 5 1 57828976 0 7.3gb 7.3gb yellow open stat-20180630 FwrBuf6FQ-6SlyZhknATLQ 5 1 50014372 0 6.4gb 6.4gb yellow open stat-20180618 _Nloca3jROCQ2vChWmDoGw 5 1 54976264 0 7gb 7gb yellow open stat-20180526 ObGvcFbfTDuuk_MtZNlCQA 5 1 51836183 0 6.6gb 6.6gb yellow open stat-20180615 t_CxQoauRUiVRTaJRPz2eQ 5 1 55490519 0 7gb 7gb To check what are the indexes available in the ElasticSearch:
  • 20. Logstash Installation Logstash is one of the softwares inside the ELK stack. The main objective for this software is to convert NetFlow data into ElasticSearch acceptable format.
  • 21. Configure Logstash to decode NetFlow LS_HOME/bin/logstash-plugin install logstash-codec-sflow LS_HOME/bin/logstash-plugin update logstash-codec-netflow LS_HOME/bin/logstash-plugin update logstash-input-udp LS_HOME/bin/logstash-plugin update logstash-filter-dns input { udp { port => 2055 codec => netflow } } output { elasticsearch { protocol => "http" host => "127.0.0.1" } stdout { codec => rubydebug } } Create a netflow.conf /etc/logstash/
  • 22. Kibana Installation Kibana is one of the GUI tools that helps retrieve data from ElasticSearch. It can also come with the graphing capability to manipulate the Doc in ElasticSearch to be something more meaningful to system engineers.
  • 23. Kibana Configuration vi /etc/kibana/kibana.yml Kibana does not listen to any IP besides 127.0.0.1; you will need to update the configuration file to make the Kibana accessible from outside the host.
  • 24. A quick look on the data stored in ElasticSearch If the data is successfully collected by Logstash, this is what will be shown in Kibana:
  • 25. How to query ElasticSearch for top 10 IP talkers?
  • 26. ElasticSearch has it’s own Query Language called Query DSL Here is a sample query command for the IP range 103.64.13.0/24 at the specific time period. (formatted in epoch milliseconds)
  • 27. Kibana is easy to use… However, it’s still complicated for my NOC team We make use of ElasticSearch Client API for PHP, to make a query interface so that they can do the job quicker and simplify the learning curve.
  • 28. To integrate with PHP, we use Elasticsearch-PHP It works quite well with our PHP environment
  • 29. A Query screen for the NOC engineer Here is the result of what we have developed, which makes our engineers’ life easier
  • 30. Samples on how we use the NetFlow Data
  • 31. Outgoing traffic by ASN and it’s AS-PATH This allows us to know which ASN the traffic flows; and helps us optimize the planning and traffic engineering according to AS Number.
  • 32. Incoming traffic by Source ASN This is also helpful when it comes to traffic engineering
  • 33. Identify customer traffic profile Identify the estimated bandwidth cost for each customer. See if the customer traffic utilization is more towards international or local bandwidth.
  • 34. IP Conversation History It’s something really useful for troubleshooting a network related issue, such as spamming activity, NTP attack within the network, and ability to identify the compromised host quickly.
  • 35. Conclusion ElasticSearch, Logstash and Kibana is a powerful tool to keep and analyze the NetFlow traffic. In addition, it’s not too difficult to deploy and run.
  • 37. ThanksOUR INFRASTRUCTURE; YOUR GROWTH E-mail: cllee@ip.my Mobile: +6 012-331 9286 03 2026 1688 www.ipserverone.com ISO Certificate No: IS 651738