30. 12. 2025
Automation, Development, Log Management, Log-SIEM, NetEye
First of all, I’d like to explain in simple terms what Elastiflow is all about. ElastiFlow is a NetFlow analyzer that works with the Elastic Stack.
The Elastiflow Analyzer can collect various network flows, such as netflow or sflow, and write them to Elastic, taking into account the ECS format. In addition, the Elastiflow Analyzer provides a number of ready-made dashboards that make analysis of the flow data much easier.
Of course, it’s also possible to create your own dashboards, or to change the dashboards that are already included.
One of our customers purchased Elastiflow some time ago, and it was now time to install the latest version 5 in their NetEye SIEM environment. Since I was already familiar with the previous version, I was able to make a good comparison between the two.
The prerequisite for the installation is a NetEye SIEM environment, which is already based on Elastic. The new Elastiflow analyzer can easily be installed on the NetEye server via an rpm package. You should then create an additional user in Elastic to give it access to the Elastiflow analyzer.
Since Elastiflow is started as a systemd service, it has a configuration file, located at:
/etc/systemd/system/flowcoll.service.d/flowcoll.conf
In it you can configure the Elastiflow user you just created with an associated password and the UDP port over which the flow can be received. To enable visualization of geolocation on the Elastiflow dashboards, the geolite databases must be linked to the /etc/elastiflow/maxmind directory. The Elasticsearch settings must also be activated and configured.
In addition, the ElastiFlow user must be added to the logstash group, and finally, the dashboards have to be downloaded as ndjson files from the Elastiflow site and imported into the Elastic system.
If all configuration parameters have been set successfully, the Elastiflow Analyzer can be started as a systemd service:
# systemct start flowcoll.service
# systemct enable flowcoll.service
If flows are already being sent to the defined port, they will be displayed in the dashboards.
In my opinion, the installation of the new Elastiflow version 5 is now much easier than before.
Incidentally, I’d like to inform you that the customer for whom I installed the Elastiflow Analyzer operates a NetEye SIEM cluster. So I had to configure the Elastiflow Analyzer to work in a cluster environment. This, too, was easy to do.
Finally, I must mention that Würth Phoenix is an Elastiflow partner and thus supports and offers integration of the Elastiflow module via the NetEye SIEM.
Tobias Goller
NetEye Solution Architect at Würth IT Italy
I started my professional career as a system administrator.
Over the years, my area of responsibility changed from administrative work to the architectural planning of systems.
During my activities at Würth IT Italy, the focus of my area of responsibility changed to the installation and consulting of the IT system management solution WÜRTHPHOENIX NetEye.
In the meantime, I take care of the implementation and planning of customer projects in the area of our unified monitoring solution.
Author
Latest posts by Tobias Goller
13. 10. 2025
Log-SIEM, Unified Monitoring
Elastic Defend: Experiences
18. 07. 2025
Automation, Cloud
Running SOS Berlin JobScheduler in Containers: A Step Toward Cloud-Native Scheduling
16. 04. 2025
NetEye, Unified Monitoring
Application Performance Monitoring in NetEye with Elastic APM and OpenTelemetry
25. 10. 2024
Log-SIEM
Enhancing Cybersecurity with Elastic Defend: A Technical Consultant’s Perspective