Pre-build image can be found here: https://hub.docker.com/r/hsrnetwork/docker-logstash-netflow
This Docker image can be used to collect Netflow data using Logstash. In the default configuration of this image, you will be able to store Netflow entries in JSON files. Additionally it prints the received flows to STDOUT (needs to be enabled first). Further Netflow processing logic can be easily configured inside the logstash.conf
configuration.
Pull the image directly from hsrnetwork/docker-logstash-netflow using the desired version or simply use the latest
tag.
- Create a data directory which will be mounted to the Docker container and will be used to store the Netflow data dump file. By default this image uses the host directory
/opt/netflow-data
which will be mounted at/data
inside the container. - Change the
logstash.conf
configuration file according to your needs.
To start the conainer use:
docker run -it \
-e "TZ=Europe/Zurich" \
-p 9995:9995/udp \
-v /opt/netflow-data:/data \
-v `pwd`/logstash.conf:/srv/logstash.conf \
hsrnetwork/docker-logstash-netflow:latest
You can customize the collection of netflow data by using Netflow Codec Configuraiton Options.
This Docker image runs logstash -f /srv/logstash.conf
by default. Override this CMD
if you are using another logstash configuration file/path or would like to add some additional logstash command parameters.
Since there is no default value for the netflow_definitions
provided by the Netflow codec plugin, I added a default netflow_definitions
configuration file inside this Docker image (from logstash-plugins/logstash-codec-netflow). To change this configuration simply "override" the definition by mounting a Docker volume at the same destination path. To achive this, use -v /your/path/your_netflow.yaml:/srv/netflow.yaml
.
This Docker Hub build is improved by always using the latest tag from the official docker.elastic.co Docker registry. See the following links to get more information: