Log Insight + Netflow = Awesome
This is just another awesome use case for Log Insight. I have setup the vSphere Distributed switch to send netflow to a netflow proxy which then sends them as syslog messages to Log Insight. The reason for this is that Log Insight can't ingest netflow messages natively.
What you then end up with is a lot of logged netflow messages like the one below. Ignore the extracted field names, these can be designed as you wish. I went with speed :)
You might think what can this be used for and why should I care ?
Log Insight + Netflow = Awesome
I have created a dashboard and some widgets to give you an idea of what can be done with this kind of information.
First of is traffic flows, which VMs talk a lot together and how much data does they transfer. Depend on how your network environment is setup this might call for vMotioning some VMs together to limit north/south network traffic flows and keep it all local in the host. We also get to see which protocols are being used and how much traffic each protocol is responsible for.
More?
What about VMs which communicates over insecure protocols ?
What about data transferred ?
The possibilities are almost limitless.
Another use case could be to see what VMs a VM talks to. Maybe create an application group in vRops based on the actual network traffic flow instead of guessing.
What about adding netflow from other network devices and firewall traffic ? Now you start to be able to map what is going on in your entire network. So you can start acting on it!
This is where the power of Log Insight comes in.
Continue reading part 2 where configuration files, scripts and content pack is available.
Update:
By the way I'm not the only one who sees this. See this Youtube video, which recently appeared from VMware on Microsegmentation with NSX and Log Insight. https://www.youtube.com/watch?v=9aRMEx4cB34
Log Insight is used to show the traffic flow between virtual machines in order to create the microsegmentation with NSX, pretty cool.