topic Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot? in All Apps and Add-ons

Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

manus — Tue, 07 Oct 2014 10:06:26 GMT

I downloaded and followed the instruction of the installation of Splunk Add-On for Netflow.
https://apps.splunk.com/app/1658/
I followed the steps, but something didn't work.
No data is getting indexed to index=netflow.
In the script configure.sh, I configured port 2055 as UDP listener.
After I restarted Splunk,
netstat -ano|grep 2055
doesn't return anything, so it means Splunk doesn't listen on this port at all.
I didn't find any useful message in:
index=_internal netflow
So I really have no clue how to continue on this installation.
Any help would be greatly appreciated.

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

jcoates_splunk — Mon, 28 Sep 2020 17:57:51 GMT

Hi,

let's start with the platform -- are you doing this on a supported platform?

uname -s
uname -p
grep GenuineIntel /proc/cpuinfo
grep AuthenticAMD  /proc/cpuinfo

Next, I wonder whether configure.sh wrote the $SPLUNK_HOME/etc/apps/TA-flowfix/bin/flowfix.sh file correctly -- is it there?

Then, did it write $SPLUNK_HOME/etc/apps/TA-flowfix/default/inputs.conf and $SPLUNK_HOME/etc/apps/TA-flowfix/default/indexes.conf ?

If it made it that far, what do those files have in them?

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

manus — Mon, 27 Oct 2014 10:07:38 GMT

Hello, thanks for replying. Somebody else took over the installation, and managed to make it work. I don't know what he did. I'll comment when I find out (he's out currently).

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

dstamler_tbte — Mon, 28 Sep 2020 18:22:10 GMT

So I've done all of this and I still have the same issue. I followed what was mentioned in another thread about creating the directories for nfdump-ascii and nfdump-binary as well (they were missing inside $SPLUNK_HOME/etc/apps/Splunk_TA_flowfix/. Still nothing. Any other ideas? I'm curious how your system started working.

UPDATE:
Manually running flowfix.sh gives "Receive socket error: could not open the requested socket". I'm running as non-root. This could be part of the issue.

UPDATE 2:
I now have it running non-root. I changed the inbound port to 9996 and opened the firewall. I'm going to re-test next week with port 2055 again since that shouldn't have been a problem as I had done multiple reboots and verified with ss -lpu that port 2055 wasn't used. I will say this though— it's CentOS 7 with the new firewall-cmd instead of iptables. It's entirely possible that I overlooked the --permanent flag when I created the firewall rule for port 2055 the first time and that it didn't survive the reboot. That would explain the error.

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

jcoates_splunk — Fri, 12 Dec 2014 22:21:51 GMT

I expect that is almost certainly the issue.

edit: I verified that this is certainly the issue. Root permissions are required.

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

dstamler_tbte — Sat, 13 Dec 2014 02:23:59 GMT

I have it running non-root (albeit on a different port) now.

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

jcoates_splunk — Sat, 13 Dec 2014 02:57:50 GMT

I asked the developer if it would work as a non-root user. Did you go to a port above 1024?

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

dstamler_tbte — Sun, 14 Dec 2014 04:52:13 GMT

For sure! The standard port for netflow is UDP 2055 anyway. You can't run anything non-root under port 1024 on linux without using POSIX capabilities, authbind (or forwarding the lower port to a higher-one).

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

mbenwell — Mon, 28 Sep 2020 18:22:32 GMT

I installed it 2 weeks ago, and also had issues getting it started. It should be fine on udp 2055.

Not sure what happened but for some reason the following directories were not being created:
./Splunk_TA_flowfix/nfdump-ascii
./Splunk_TA_flowfix/nfdump-binary

After creating them manually it worked fine.

Also worth looking at, the flowfix.sh script has hard coded paths. The configure.sh script assumes/expects it is being run from the directory the script is in. Also be aware of the paths in flowfix.sh if you ever move the TA to another host.

Re: Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

aariya01 — Tue, 29 Sep 2020 13:48:56 GMT

Hi,
I am facing the similar issue after integrating Netflow to splunk I am not getting data on splunk,
After configuring the configure.sh script, I got both the files at mentioned location $SPLUNK_HOME/etc/apps/TA-flowfix/default/inputs.conf and $SPLUNK_HOME/etc/apps/TA-flowfix/default/indexes.conf ,

Could anyone please explain what steps shall I take next to troubleshoot this issue.

Thanks in advance!!!