topic Re: Netflow app not retrieving any data in Getting Data In

Netflow app not retrieving any data

omgemeasts — Mon, 12 Dec 2011 12:42:49 GMT

I am sure this is probably a very simple issue however I am not seeing what the problem is.

I have install the app Splunk for Netflow, it's a 32bit OS so I have changed the two files required to let this work on the 32 bit OS. I have also installed nfdump. I can go to the app's page but simply tells me "No results found" on any time line, I have also run nfdump from the command line and I see no data coming in;

root@syslog-server:~# nfdump
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows

So from this I am going to presume it's not a problem with the netflow app but a problem with getting the data.

Here is my 6509 config;

ip flow ingress layer2-switched vlan 1-50
ipv6 mfib hardware-switching replication-mode ingress
no mls acl tcam share-global
mls aging long 64
mls aging normal 64
mls netflow interface
mls flow ip interface-full
mls nde sender version 5

ip flow-export source Vlan5
ip flow-export version 5
ip flow-export destination 1.1.1.9 9996
ip flow-export destination 1.1.1.7 9996

So from what I can see everything is correct and even this command shows data is being sent;

EMEA-IDC-6509-1#sh ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.2.5 (Vlan5)
Source(2) 1.1.2.5 (Vlan5)
Destination(1) 1.1.1.9 (9996)
Destination(2) 1.1.1.7 (9996)
Version 5 flow records
3824923447 flows exported in 127497449 udp datagrams

Do anyone know any other ways to debug my issue? Everything I have read on the internet shows simply installing the app and nfdump worked for them after their router was configured correctly so finding other people with similar issues as mine hasn't showed any results.

Re: Netflow app not retrieving any data

omgemeasts — Tue, 13 Dec 2011 12:04:38 GMT

Maybe this is not the right forum to ask this question and should ask on a more OS based forum...?

Re: Netflow app not retrieving any data

dmaislin_splunk — Tue, 13 Dec 2011 15:33:58 GMT

Look in the config.ini in the default directory of the app. Either you need to allow Splunk to receive Netflow data via UDP on port 9995 or any port you decide to change it to in the config file.

[nfcapd]
# UDP port to listen for incoming netflow.
port = 9995

Re: Netflow app not retrieving any data

omgemeasts — Tue, 13 Dec 2011 16:44:16 GMT

Yes here it is

[nfcapd]
UDP port to listen for incoming netflow.
port = 9996

And on my 6509

ip flow-export destination 1.1.1.7 9996

Re: Netflow app not retrieving any data

dmaislin_splunk — Tue, 13 Dec 2011 16:46:13 GMT

And I assume you went to Manager / Data Inputs / UDP and enabled port 9996

Re: Netflow app not retrieving any data

omgemeasts — Tue, 13 Dec 2011 16:51:19 GMT

You assume correct. Only thing I can really notice about it is the fact the source type is syslog, not sure if that matters??

UDP port Source type Status Actions
514 syslog Disabled | Enable Clone | Delete
9996 syslog Enabled | Disable Clone | Delete

Re: Netflow app not retrieving any data

dmaislin_splunk — Tue, 13 Dec 2011 16:54:01 GMT

The app relies on the sourcetype=netflow

Re: Netflow app not retrieving any data

dmaislin_splunk — Tue, 13 Dec 2011 16:55:06 GMT

http://splunk-base.splunk.com/answers/33304/installing-spunk-for-netflow

Re: Netflow app not retrieving any data

omgemeasts — Tue, 13 Dec 2011 17:01:01 GMT

Ah this is a good point, ok I have done this, I will wait for a few minutes to see if this fixes the problem. And dmaislin_splunk I have read that, made the change to sourcetype to = netflow but still not seeing any data, will give it a few more minutes

Re: Netflow app not retrieving any data

omgemeasts — Tue, 13 Dec 2011 17:14:59 GMT

Hmm still no data

Re: Netflow app not retrieving any data

omgemeasts — Wed, 14 Dec 2011 10:18:54 GMT

I am going to guess that I should be able to see packets if I run nfdump manually from the console, so as I am not, it's probably not a problem with Slunk or the Netflow app, but either with my switch sending the data or my server receiving them

Re: Netflow app not retrieving any data

dmaislin_splunk — Wed, 14 Dec 2011 11:24:02 GMT

Can you telnet to the Splunk server on that port? If so, then there is nothing wrong on our side. Is there anything in between that is blocking the connection?

Re: Netflow app not retrieving any data

omgemeasts — Wed, 14 Dec 2011 11:29:24 GMT

Yes I can; netcat -u ip_address 9996 connects though I cannot see it in netstat so I think NetFlow is ok, and this is a Debian OS issue. I think I best take this question to another forum

Thanks for everyone's help, hopefully I can resolve this

Re: Netflow app not retrieving any data

omgemeasts — Wed, 14 Dec 2011 11:30:38 GMT

One last thing, maybe it's because splunk is running as root and not as the spunk user? I think this needs to be resolved but then again, doesn't explain why nfdump isn't seeing anything so that's probably still not the reasons

Re: Netflow app not retrieving any data

Spelunke — Mon, 02 Jan 2012 19:32:29 GMT

Please check with wireshark or tcpdump if you can see any flows on the server.