SUPPORTING ElastiFlow™ - Today literally 1000s of users leverage ElastiFlow™ As a powerful alternative to expensive commercial flow collecting solutions. As its popularity has increased, so has the time commitment necessary to support users and provide further enhancements. If you are one of the organizations who appreciate the value of ElastiFlow™, I would like to ask you to consider becoming a sponsor. The support from sponsors allows me dedicate more time and energy to the project. To become a sponsor, please visit ElastiFlow on .

ElastiFlow™ provides network flow data collection and visualization using the Elastic Stack (Elasticsearch, Logstash and Kibana). It supports Netflow v5/v9, sFlow and IPFIX flow types (1.x versions support only Netflow v5/v9).

I was inspired to create ElastiFlow™ following the overwhelmingly positive feedback received to an article I posted on Linkedin... WTFlow?! Are you really still paying for commercial solutions to collect and analyze network flow data?

Organization	Feedback
	“Right now this is my personal favorite analytics tool. I use it extensively and am always finding a new way to leverage it."
	"We're using it since two months in our new datacenter and our network admins are very happy and impressed."
	"Of all the netflow tools I’ve tested it has, by far, the best visualizations."
	"We absolutely love ElastiFlow and recently stood it up in production. Looking forward to new functionality and dashboards."

NOTE: Elastic Stack 7.x requires ElastiFlow™ 3.5.x. To deploy on Elastic Stack 6.x you must use ElastiFlow™ 3.4.2 or earlier. The 3.4 branch will be maintained independently of the master branch for a while, as most users are still using a pre-7 release of the Elastic Stack.

ElastiFlow™ is built using the Elastic Stack, including Elasticsearch, Logstash and Kibana. Please refer to INSTALL.md for instructions on how to install and configure ElastiFlow™

NOTE: Please make sure that have reviewed KNOWN_ISSUES.md prior to getting started.

The following dashboards are provided.

NOTE: The dashboards are optimized for a monitor resolution of 1920x1080.

There are separate Top-N dashboards for Top Talkers, Services, Conversations and Applications.

ElastiFlow™ includes a dictionary of public IP addresses that are known to have a poor reputation. This dictionary is built from many OSINT data sources, normalized to a common taxonomy. The Threats dashboard uses this IP reputation information to highlight three threat/risk types.

1. Public Threats - Public clients with a poor IP reputation that are reaching private addresses.
2. At-Risk Servers - Private Servers that are being reached by clients with a poor IP reputation.
3. High-Risk Clients - Private clients that are accessing public servers which have a poor reputation.

There are separate Sankey dashboards for Client/Server, Source/Destination and Autonomous System perspectives. The sankey visualizations are built using the new Vega visualization plugin.

There are separate Geo Location dashboards for Client/Server and Source/Destination perspectives.

Provides a view of traffic to and from Autonomous Systems (public IP ranges)

ElastiFlow™ v3.4.0 added support for IPFIX records from Ziften's ZFlow agent. In addition to being fully integrated with the standard dashboards, a stand-alone ZFlow dashboards displays network traffic based on user and command data provided by ZFlow.

This product includes GeoLite2 data created by MaxMind, available from (http://www.maxmind.com)