morbius
By far one of the NetFlow collectors of all time.
How it works
It uses GoFlow from Cloudflare to collect NetFlow and implements a custom transports to do stuff with the data. First a set of Enrichers take the flows and do extra processing to add information (such as converting protocol numbers to protocol names and such). Then one or more Destinations are responsible for putting the flow information somewhere.
Enrichers
AddrTypeEnricher
- sets a _type
field based on the type of IP address (private
, global
, etc.)
FieldMapperEnricher
- allows arbitrary field additions based on either simple key/value mappings or more complex logic. Useful for setting config-specific friendly names e.g. {in,out}_interface
, sampler_address
, etc.
MaxmindDBEnricher
- adds IP address information from a MaxMind DB
NetDBEnricher
- adds protocol, service, and EtherType information based on netdb
ProtonamesEnricher
(deprecated - use NetDBEnricher
instead) - adds protocol and etype names based on a lookup table
RDNSEnricher
- adds rDNS hostname based on IP address fields
ProtonamesEnricher
-> NetDBEnricher
migration
The built-in database for netdb is based on Debian's netbase project. Unfortunately, that database doesn't contain all of the entries supported by ProtonamesEnricher
nor does it present the names in the exact same format. Morbius takes care of the missing entries, however there is no special handling for full backwards compatibility. If you need full backwards compatibility, use the following configuration to enable name aliases for the protocols and EtherTypes that will match that ProtonamesEnricher
outputs:
Show configuration
enrichers:
netdb:
protocols:
built_in: true
name_aliases:
ah: IPSEC-AH
hmp: HMP
hip: HIP
ddp: DDP
xtp: XTP
vmtp: VMTP
rspf: RSPF
tcp: TCP
dccp: DCCP
ipv6-frag: IPv6-Frag
hopopt: HOPOPT
pim: PIM
manet: MANET
rsvp: RSVP
idpr-cmtp: IDPR-CMTP
skip: SKIP
ggp: GGP
ipencap: IP-ENCAP
l2tp: L2TP
ipv6: IPv6
ipv6-opts: IPv6-Opts
udp: UDP
udplite: UDPLite
mobility-header: Mobility-Header
igmp: IGMP
shim6: Shim6
vrrp: VRRP
ax.25: AX.25
sctp: SCTP
ipv6-nonxt: IPv6-NoNxt
gre: GRE
mpls-in-ip: MPLS-in-IP
ipv6-icmp: IPv6-ICMP
eigrp: EIGRP
pup: PUP
ospf: OSPFIGP
esp: IPSEC-ESP
encap: ENCAP
fc: FC
ipcomp: IPCOMP
wesp: WESP
icmp: ICMP
egp: EGP
xns-idp: XNS-IDP
iso-tp4: ISO-TP4
st: ST
igp: IGP
rohc: ROHC
isis: ISIS
ipv6-route: IPv6-Route
idrp: IDRP
ipip: IPIP
rdp: RDP
etherip: ETHERIP
ethertypes:
built_in: true
name_aliases:
wake-on-lan: Wake-on-LAN
PPP_DISC: PPPoE Discovery Stage
PPP_SES: PPPoE Session Stage
MACSEC: MACsec
AARP: AppleTalk AARP
srp: SRP
ATALK: AppleTalk
EAPOL: 802.1X
loopback: Loopback
S-TAG: S-Tag
mikrotik-romon: MikroTik RoMON
qnx-qnet: QNX Qnet
slpp: SLPP
epon: EPON
MPLS_MULTI: MPLS multicast
802_1Q: C-Tag
lacp: LACP
cobranet: CobraNet
vlacp: VLACP
avtp: AVTP
MPLS: MPLS unicast
Destinations
DiscardDestination
- A dummy destination that simply does a JSON marshall and then throws the result away. Used mainly in development.
StdoutDestination
- Outputs the flow to stdout in JSON or logfmt format. Useful for testing and debugging.
ElasticsearchDestination
- Indexes the flow into an Elasticsearch index.
LokiDestination
- Pushes the flow to Loki.
PrometheusDestination
- Aggregates flow information info metrics and exposes those in the :http/metrics
endpoint.
Use Case
I wanted something that could process NetFlow records on a small-ish scale, like for a homelab (<1Gbps-ish). I wanted it to be as self-contained as possible and with relatively minimal resource utilization (so no Kafka, like is used in the original Cloudflare project). I also wanted something more targetted to NetFlow processing and not a general purpose log/event pipeline (e.g. Logstash, Filebeat) because I find those can be very cumbersome to use with NetFlow and also really limit the amount of enrichment you can do.
How to use it
Configuration is done via a YAML file. The path to file can be passed with the flag -config-file
. It defaults to reading ./config.yaml
in the current working directory. An annotated example config file is present at config.example.yaml
. Using the -print-config
flag can help debug configuration issues.
It's probably a good idea to create a new config from scratch and only use the example as reference. Here's a decent minimal config to build on with Loki and Prometheus destinations enabled:
server:
netflowv5:
enable: true
netflowv9:
enable: true
sflow:
enable: true
http:
enable: true
enrichers:
proto_names:
enable: true
rdns:
enable_cache: true
cache_size: 2048
maxmind_db:
enable_cache: true
cache_size: 128
database_paths:
- /opt/MaxmindDB/GeoLite2-ASN.mmdb
- /opt/MaxmindDB/GeoLite2-City.mmdb
enabled_field_groups:
- asn
- city
destinations:
loki:
push_url: http://loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
static_labels:
job: netflow
dynamic_labels:
- dst_addr
- src_addr
prometheus:
count_bytes: true
count_packets: true
metric_labels:
- dst_addr
- dst_port
- src_port
- src_addr
- protocol_name
export_ip_info: true
ip_info_labels:
- addr
- hostname
- asn_org
- asn
- city_name
- connection_type
- continent_name
- country_name