Screenshots
All four views, same data stream.
Real-time GELF network traffic visualization across four views — Flow, 2D Map, 3D Globe, Sankey.
Live network traffic flowing across the four views.
Prerequisites.
The installer will pull git, python3 + pip, nodejs + npm on its own — but it can't bootstrap curl itself. On a minimal Linux box where curl --version says "command not found", install it first:
| Debian / Ubuntu | sudo apt install -y curl |
| RHEL / Fedora / Rocky / Alma | sudo dnf install -y curl |
| Arch / Manjaro | sudo pacman -S --noconfirm curl |
| openSUSE | sudo zypper install -y curl |
curl -fsSL https://raw.githubusercontent.com/jasoncheng7115/jt-gelflow/main/install.sh | sudo bashgit clone https://github.com/jasoncheng7115/jt-gelflow.git /opt/jt-gelflow
cd /opt/jt-gelflow
pip install -r requirements.txt
npm install && npm run build
python3 run.pyhttp://<server-ip>:8099 (installer prints the exact URL)sudo jt-gelflow status / logs / update / uninstall
Then point Graylog at it.
Graylog → System → Outputs → Add new output → GELF Output; transport UDP, host = the JT-GELFLOW server's IP, port 12201; attach the output to the stream you want visualised.
Full step-by-step (incl. Logstash + Filebeat path) → README · Sending data
Switch with 1 2 3 4. Same data, different perspective.
2D animated particle flow. Force-directed layout, nodes split internal vs external. Particles travel proportional to traffic.
Mercator world map with traffic arcs from GeoIP coordinates. Drag to pan, scroll to zoom up to 16×.
Interactive orthographic globe. Auto-rotate, drag to orient, scroll to zoom. Optional starfield backdrop.
Left-to-right bands from external to internal network. Toggle columns on/off (Country, PTR, Protocol). Hover lights up the entire flow chain. Column display names live in Field Mapping.
Everything you need to make a Graylog / Logstash / Filebeat firehose comprehensible at a glance.
Standard GELF input on UDP 12201 / TCP 12202 with chunked & gzip decoding.
Fields from incoming logs are surfaced live in the settings panel with type inference.
{a||b|default} fallback chains for node and edge labels.
Internal / External / Inbound / Outbound by configurable CIDRs, or fully custom zones.
Per-view limits and IP whitelists keep the canvas readable on busy links.
Filter by IP, port, protocol or keyword. Multi-term AND, - excludes.
Tight loop, hash-based deduplication, dead-client cleanup.
English / 繁體中文 across UI and settings.
Hardened service file, one-command install & updates via the bundled CLI.
Pipelines that don't ship canonical GELF names — Suricata, custom enrichment, vendor exports — map through five settings sections. Change one and you usually need to revisit another.
Source / destination IP, protocol, PTR, country code.
IP: source_ip · src_ip · srcip · suricata_srcip …
Protocol: protocol_name · proto · ip_proto · l4_proto
Numeric field summed per flow (bytes / count). No length field? Type a non-existent name and leave Default at 1 — the dashboard switches to event counting.
Common names: network_bytes · bytes · length · datalen · octets — whichever appears on incoming messages
Strings rendered on each node / edge using {field}. Renaming a Field Mapping field also means rewriting the templates that reference it.
Example: {suricata_srcip_ptr||suricata_srcip}
Lat/lng field used by 2D Map / 3D Globe (string "lat,lng"). Independent of Field Mapping — renaming src_field does not rename this.
Defaults: source_ip_geolocation · destination_ip_geolocation
Aliases: src_geolocation · srcip_geolocation · geoip_src_location
Internal / external CIDRs, top-N caps, per-view filter rules.
Default internal: 192.168.0.0/16 · 10.0.0.0/8 · 172.16.0.0/12
Full Suricata example + gotchas → README · Field mapping
Drive the whole UI from the keyboard — no menu hunting.
All four views, same data stream.