How to create flow monitoring infrastructure with Turris and ELK

In this tutorial we show how to create a flow based monitoring with customized Turris Omnia and ELK stack.

Outline of the tutorial

1. Monitoring probe using OpenWrt / Turris router
2. Flow collector and visualization
3. Traffic analysis - Time series (Resources)

Download Presentation in pdf.

Ways of participation

There is a limited time for the tutorial (60min) and limited number of routers (12). Therefore it is expected to work in groups, each of them will be provided by access to a router.

It is possible to download virtual machines and work locally on your laptop.

• Flow Collector (containing tools to collect flow data from monitoring probes and visualize them with ELK)
• Jupyterhub VM (containing example notebook with a dataset to showcase possible analysis using time series)

The system specifications for the given images are:

• 8 GB of Random Access Memory (RAM)

• Virtualbox software installed on the system

The images provided are in the Open Virtualization Appliance (.ova) format. The .ova file format is a standard format used for distributing virtual appliances, which are pre-configured virtual machines, packaged within a single file that contains all the necessary files to run the virtual machine.

Username: vagrant

Password: vagrant

Flow Collector

The Flow Collector comprises of two components, namely the ELK stack and ipfixcol2.

The ELK stack stands for Elasticsearch, Logstash, and Kibana. These are open-source tools used for managing and analyzing log data. Elasticsearch is a distributed search and analytics engine, Logstash is a data collection tool, and Kibana is a data visualization and exploration tool.

ipfixcol2 is a standalone IP Flow Information Export (IPFIX) collector. IPFIX is a protocol used for exporting network flow data, typically used for network monitoring and traffic analysis.

The flow collector listens on TCP port 4739 for incoming IPFIX flows from probes. It also opens a HTTP port 5601 for Kibana, which provides visualization and flow browsing capabilities.

Jupyterhub VM

The Jupyterhub VM houses a Jupyterhub instance, which is a platform for hosting and managing Jupyter notebooks. This instance can be accessed via port 8888/http. The /notebooks folder within the VM contains the necessary files for a tutorial. More about Jupyter

Optional: OpenWrt (Router)

Optionally, it is possible to try own virtual router similar to Turris Omnia that are available in tutorial.

• Download: openwrt22.03.3.ova - x86_64 virtual machine of OpenWrt system (similar to router), it can be imported into VirtualBox.

We have a public repo but to use it, we need to install the public key.

Complete steps to set up repo and install ipfixprobe:

1. Add public key:

   cd /tmp
   wget https://netmon.fit.cvut.cz/@master/openwrt/pubkey
   opkg-key add pubkey
   

2. Add repo:

   source /etc/openwrt_release
   echo "src/gz cesnet https://netmon.fit.cvut.cz/openwrt/$DISTRIB_ARCH/cesnet" >> /etc/opkg/customfeeds.conf
   

3. Install luci-app-ipfixprobe:

   opkg update
   opkg install luci-app-ipfixprobe
   

Note: luci graphical interface is accessible from br-lan by default, which is eth0; wan interface is eth1

Contact

• Ing. Tomáš Čejka, Ph.D - tomas.cejka@fit.cvut.cz
• Ing. Jaroslav Pešek - pesekja8@fit.cvut.cz
• Ing. Josef Koumar - koumajos@fit.cvut.cz
• Bc. Richard Plný - plnyrich@fit.cvut.cz