topic Re: NSX-T IPFIX and Splunk in Splunk Enterprise

NSX-T IPFIX and Splunk

Hamidreza74 — Sun, 05 Dec 2021 16:40:36 GMT

We are using Splunk 7.2.6 as our Syslog server in our network environment.

On the Splunk server, I added the IPFIX add-on, and on the NSX-T point the IPFIX target to the SplunkSrv:4739.

We use the exact same configuration on our previous NSX-V and we were able to receive all the related packets on Splunk, but in NSX-T we are unable to do so.

We check everything, local firewall rules on Splunk included, but still no chance. also, I check the Splunk server with Wireshark and I got IPFIX traffic but it doesn't show in Splunk

Any thoughts?

Re: NSX-T IPFIX and Splunk

PickleRick — Sun, 05 Dec 2021 18:29:36 GMT

OK, so you must be using something else apart from "bare" Splunk Enterprise since Splunk on its own cannot ingest IPFIX. And IPFIX receiving has definitely nothing to do with syslog.

So question is - what are you using for IPFIX ingestion? Splunk Stream?

Check this solution's configuration.

And BTW, 7.2.6 is already end-of-life so you should have already upgraded to a current version.

Re: NSX-T IPFIX and Splunk

Hamidreza74 — Mon, 06 Dec 2021 11:39:21 GMT

Thanks for your reply,
I upgrade to 8.2.2.1 and install Splunk Stream and config and edit streamfwdlog. conf file in splunk_app_stream/local directory and then restart Splunk but still did not receive any IPFIX

[streamfwd]
logConfig = streamfwdlog.conf
port = 4739

netflowReceiver.0.ip = [ip address]
netflowReceiver.0.port = 4739
netflowReceiver.0.protocol = udp
netflowReceiver.0.decoder = netflow

Re: NSX-T IPFIX and Splunk

PickleRick — Mon, 06 Dec 2021 11:54:42 GMT

I don't know splunk stream that much but firstly I'd simply check whether

a) There is an open port on splunk side. For example with

netstat -unpl | grep :4739

b) There are no firewall rules in place filtering out the traffic.

c) In case of UDP you could also hit a problem with rare cases with rp_filter (binding to particular IP could suggest some multi-homed configuration which could be prone to such effects).

Re: NSX-T IPFIX and Splunk

Hamidreza74 — Tue, 07 Dec 2021 11:29:25 GMT

There is no open Port for 4739 in the Splunk side
I check the firewall seting, there is no Firewall rule.
is there anything I missed in the configuration file?

logConfig = streamfwdlog.conf
port = 8889

netflowReceiver.0.ip = 0.0.0.0
netflowReceiver.0.port = 4739
netflowReceiver.0.protocol = udp
netflowReceiver.0.decoder = netflow

Re: NSX-T IPFIX and Splunk

Hamidreza74 — Tue, 07 Dec 2021 12:38:22 GMT

I got IPFIX traffic and I can see with Wireshark but I can't see any log in Splunk, I try to change the port but is not work yet