We have to be honest, logs are often an after thought to most developers. Many logs are pretty cryptic unless you can look at the code and see what is going on. In this section, we will share what we think of a specific log: - the cryptic ones, the fun ones and some of the ones we see more often.
{"port":5601,"format":"netflowv5","header":{"version":5,"count":30,"sys_uptime":1914116404,"unix_secs":1654392803,"unix_nsecs":436470348,"flow_sequence":2577672181,"engine_type":0,"engine_id":0,"sampling_interval":0},"record":{"srcaddr":"190.x.x.1","dstaddr":"70.y.y.2","nexthop":"0.0.0.0","input":297,"output":0,"dPkts":1,"dOctets":40,"first":1914114908,"last":1914114908,"srcport":53489,"dstport":80,"pad1":0,"tcp_flags":2,"prot":6,"tos":0,"src_as":0,"dst_as":0,"src_mask":0,"dst_mask":0,"pad2":0}}
ID: netflowv5-tcp80
For: Netflowv5 json output to syslog
Meaning: This is the json output of netflow being sent to syslog. Netflow tracks connections happening in the network and can be very noisy. Even a small network can generate millions of flows (and logs) per day. In this specific case, it shows a new connection from 190.x.x.1 to 70.y.y.2 on TCP port 80
What to do: Nothing much to do, except in case the dstport is not allowed to have traffic inbound. Or you are seeing a DoS (denial of service) from the source IP. Good to visualize the netflow events to track your network utilization.