topic Re: Configuring Netflow App for Splunk in All Apps and Add-ons

Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 05:47:01 GMT

Good day everyone,

I'm having trouble in configuring or setting up the Netflow app for Splunk.
I have already downloaded the nfdump and the splunk app in my machine(Linux Mint 64bit). Already put an ip address and udp port 9800 in my data inputs in splunk, also edited the config file of netflow

[nfcapd]
# UDP port to listen for incoming netflow.
#port = 9996
port = 9800

I have also chosen the sourcetype to be in netflow as said in the readme. Restarted splunk multiple times already. Still can't get results from the netflow app dashboards.

Can someone guide or help me to do this ? Is there something i need to input in linux command line in order for the dumps to capture. I'm currently pinging the ip and tcpdump on the linux machine. i tried running nfdump but it shows only this :

nfdump
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows

Open file '<stdin>': bad magic: 0xA

Thanks fellow Splunkers

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 06:28:44 GMT

what do you mean by "downloaded the nfdump"? because it is already in the app

are you on 32bit OS?

By default, the NetFlow app only works on Linux 64-bit platforms (due to issues with nfdump binary compatibility). 

If you want to run this app on 32-bit platforms, rename two binary files "nfcapd_linux32" and "nfdump_linux32" to "nfcapd" and "nfdump", respectively. These files are located in the NetFlow app's "bin" directory, which is $SPLUNK_HOME/etc/apps/netflow/bin .

Following is an example of how to rename the files within the directory:

  $ cd $SPLUNK_HOME/etc/apps/netflow/bin
  $ mv nfcapd_linux32 nfcapd
  $ mv nfdump_linux32 nfdump

Re: Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 06:33:30 GMT

im running in 64bit, i download the nfdump using apt-get. sorry i didnt know it was already in the app. forgot to indicate that im on 64bit.

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 06:51:51 GMT

then just remove the one you installed and all you need is to configure the $SPLUNK_HOME/etc/apps/netflow/default/config.ini and restart splunk

Re: Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 06:55:11 GMT

ok , will feedback later thanks

Re: Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 07:24:22 GMT

restarted splunk already, how can i check if nfdump is working ? i have viewed the nfdump.log and it still blank

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 07:29:11 GMT

index="_internal" sourcetype="splunkd" ("nfdump" OR "nfcapd")

look for any error

Re: Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 07:36:49 GMT

thanks again @MarionM here's what ive got

09-19-2012 15:33:48.963 +0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netflow/bin/nfcapd.py" Terminated due to errors.

09-19-2012 15:34:48.751 +0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netflow/bin/nfcapd.py" Receive socket error: could not open the requested socket

does this means its working ? do i need to configure more ?

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 07:41:47 GMT

it sounds something is already listening on the port you specified in the config.ini (did you remove properly the nfdump apt package?) or you are not running splunk as sudo root.

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 07:42:40 GMT

what's in your inputs.conf?

Re: Configuring Netflow App for Splunk

crt89 — Mon, 28 Sep 2020 12:27:54 GMT

[script://$SPLUNK_HOME/etc/apps/netflow/bin/nfcapd.py]
disabled = false
interval = 60
source = nfcapd.py
index=netflow_si_traffic

[script://./bin/nfdump.py]
disabled = false
interval = 60
source = nfdump.py
index=netflow_si_traffic

[monitor://$SPLUNK_HOME/etc/apps/netflow/log/nfdump]
disabled = false
sourcetype = netflow
blacklist = .\d+$
index=netflow_si_traffic

Re: Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 07:52:40 GMT

im running in root and yes ive deleted the nfdump apt package

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 07:56:04 GMT

if you stop splunk and do netstat is there anything listening on the port you specified in the config.ini?

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 07:58:03 GMT

and make sure there is no inputs.conf listening to this port.
because for me it looks the port is laready binded then you could try by setting another port in your netflow device and in config.ini

Re: Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 08:05:24 GMT

thanks again, ive used this netstat command
netstat -np udp 9800 | grep 9800

nothing shows.

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 08:10:24 GMT

unfortunately i have no more ideas...

Re: Configuring Netflow App for Splunk

MarioM — Wed, 19 Sep 2012 08:13:23 GMT

maybe a last idea...can you make sure there is no nfdump or nfcapd processus running?
if it's feasible i would restart the server

Re: Configuring Netflow App for Splunk

crt89 — Wed, 19 Sep 2012 08:21:37 GMT

ok i used this : pgrep -l nfcapd then it showed 11208 nfcapd : then i tried to kill it and restarting splunk now. ill be back again in while to see if it works. thanks again for your help

Re: Configuring Netflow App for Splunk

crt89 — Mon, 28 Sep 2020 12:27:59 GMT

ok i killed the nfcapd running then restarted the splunk server. after that i cant see any nfcapd running. also i received event counts to the netflow_si_traffic index but it stopped. also searching the index returns me with this event result : Return code =
Error: nfdump ran unsuccessfully. i think i still cant get it to work

Re: Configuring Netflow App for Splunk

crt89 — Fri, 21 Sep 2012 01:42:42 GMT

thanks again finally got it to work. using config.ini changed the port again and fully restart to take effect. ill rate it soon thanks