nanog mailing list archives
Re: Spiffy Netflow tools?
From: Nick Hilliard <nick () foobar org>
Date: Tue, 27 Mar 2018 12:22:28 +0100
Stipo wrote:
+1 ElastiFlow, the templates are great, a great quickstart to using netflow on elk stack.
out of curiosity, I set up a test ElastiFlow installation on a small site recently. It's completely gorgeous from an eye candy point of view and it's pretty easy to see how you could tap into the ELK APIs to do interesting data mangling. On the down-side, it used ~40x the amount of disk space that nfsen used for the same accounting period, and even though it was only handling less than 1G traffic at a NF sample rate of 1:10, logstash and elastisearch managed to peg between 4-6 cores on the server which was handling it. Granted, these were only E5606 (2011-era Westmere Xeon) cpus, but even still there was an alarming mismatch between the amount of compute power required compared to the amount of netflow traffic being handled. It would be interesting to hear the sort of cpu requirements needed for larger installations. Obviously you can scale elkstack sideways, so it wouldn't be difficult to build out something which performed well. The issue is that burning cpu time can become an expensive proposition. Nick
Current thread:
- Re: Spiffy Netflow tools?, (continued)
- Re: Spiffy Netflow tools? Vitaly Nikolaev (Mar 14)
- Re: Spiffy Netflow tools? Babak Farrokhi (Mar 13)
- Re: Spiffy Netflow tools? Michael Krygeris (Mar 17)
- Re: Spiffy Netflow tools? Gustavo Santos (Mar 19)
- Re: Spiffy Netflow tools? Rick Coloccia (Mar 20)
- Re: Spiffy Netflow tools? Stipo (Mar 15)
- Re: Spiffy Netflow tools? Nick Hilliard (Mar 27)