Log: netflowv5-tcp80
{"port":5601,"format":"netflowv5","header":{"version":5,"count":30,"sys_uptime":1914116404,"unix_secs":1654392803,"unix_nsecs":436470348,"flow_sequence":2577672181,"engine_type":0,"engine_id":0,"sampling_interval":0},"record":{"srcaddr":"190.x.x.1","dstaddr":"70.y.y.2","nexthop":"0.0.0.0","input":297,"output":0,"dPkts":1,"dOctets":40,"first":1914114908,"last":1914114908,"srcport":53489,"dstport":80,"pad1":0,"tcp_flags":2,"prot":6,"tos":0,"src_as":0,"dst_as":0,"src_mask":0,"dst_mask":0,"pad2":0}}
For: Netflowv5 json output to syslog
Meaning: This is the json output of netflow being sent to syslog. Netflow tracks connections happening in the network and can be very noisy. Even a small network can generate millions of flows (and logs) per day. In this specific case, it shows a new connection from 190.x.x.1 to 70.y.y.2 on TCP port 80
What to do: Nothing much to do, except in case the dstport is not allowed to have traffic inbound. Or you are seeing a DoS (denial of service) from the source IP. Good to visualize the netflow events to track your network utilization.
Get
Started