Hi,
What is the main difference between Netflow or Flow logging?
Hí,
flow — logs bidirectional records
netflow — logs unidirectional records
Is it advised to use one or the other, or can both be used simultaneously?
Both can be used simultaneously, but by default we have flow enabled and netflow disabled. flow is more like a session log, it covers both sides of the conneciton. netflow is closer to what you might see from a router or switch, where each flow is just a single side of the connection.
Its generally easier to reason about the flow logs that contain all the information in one record.
Thank you for the fast and useful answer 
Since I am using Suricata on a router, It seems wise to enable netflow (and maybe disable flow).
If you decided to do that based on what I said, it was not my intention. Routers/switches typically support this more classic form of netflow. Then you usually use some extra piece of software called a collector and/or aggregator that correlates the 2 sides. Suricata can give you this correlated record using flow. I’d consider flow better for general purpose, netflow if you have special needs for single-sided data.
I switched to netflow only, and I see more event packets.
I mirror packets lan to wan, router to wan, wan to lan and wan to router to a tap interface (dummy) on which Suricata listens as an IDS (in reality it is a bit more complex as I have 2 wan, and I am tapping after my firewall rules).
Then I use Filebeat to ship the Suricata logs to another device with Elasticsearch/Kibana/EveBox to visualize the alerts or events.
So with netflow you’ll have twice as many flow type records compared to flow to save, index, etc. Given flow or netflow events will be the most common type of event, this could have an impact on your database size and performance.
Thank you, I get the idea.
I suppose in the flow, the direction retained in the log is whoever initiates it?
Yes, src_ip will be the connection initiator.
1 Like