https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442974#M77183 <P>Right, so I managed to get this working.</P> <P>/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf<BR /> [streamfwd]<BR /> logConfig = streamfwdlog.conf<BR /> port = 8889<BR /> ipAddr = 0.0.0.0</P> <P>netflowReceiver.0.interface = IP<BR /> netflowReceiver.0.protocol = udp<BR /> netflowReceiver.0.port = 9995<BR /> netflowReceiver.0.decoder = netflow</P> <P>/opt/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf<BR /> [streamfwd://streamfwd]<BR /> splunk_stream_app_location = <A href="https://localhost:443/en-us/custom/splunk_app_stream/" target="_blank">https://localhost:443/en-us/custom/splunk_app_stream/</A><BR /> stream_forwarder_id =<BR /> disabled = 0</P> <P>[udp://9995]<BR /> connection_host = ip<BR /> disabled = 0<BR /> index = stream<BR /> source = stream</P> <P>This is now allowing netflow to both be accepted and indexed correctly by Splunk_TA_stream with the flow being delivered by softflowd within pfSense.</P> <P>Hopefully this helps someone else down the line.</P> <P>Cheers</P> Wed, 30 Sep 2020 01:44:35 GMT j_stock 2020-09-30T01:44:35Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442971#M77180 <P>Hi all,</P> <P>It doesn't matter how much I read the documentation <A href="https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/ConfigureFlowcollector" target="_blank">https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/ConfigureFlowcollector</A> or follow tips from <A href="https://answers.splunk.com/answers/636437/how-to-configure-the-splunk-flow-collector-setup-i.htmlhttps://answers.splunk.com/answers/743408/streamfwd-is-not-forwarding-netflow-v9-data-to-sh.html" target="_blank">https://answers.splunk.com/answers/636437/how-to-configure-the-splunk-flow-collector-setup-i.htmlhttps://answers.splunk.com/answers/743408/streamfwd-is-not-forwarding-netflow-v9-data-to-sh.html</A> I can't get the TA to ingest netflow from pfSense 2.4.4.</P> <P>I have pfSense using the sotftflow package exporting netflow ipfix to my combined SH/Indexer (single instance, home setup) on port 9995.</P> <P>I have the Splunk UF installed on pfSense and it is configured to use a deployment server if needed.<BR /> I have SE running on Ubuntu 16.04 v 7.3.1 with Splunk Stream 7.1.3 installed as the app and with the TA.<BR /> I have the following configs:</P> <P>/opt/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf:<BR /> [streamfwd://streamfwd]<BR /> splunk_stream_app_location = <A href="https://splunk-enterprise/en-US/app/splunk_app_stream" target="_blank">https://splunk-enterprise/en-US/app/splunk_app_stream</A><BR /> disabled = false<BR /> index = netflow</P> <P>[streamfwd]<BR /> disabled = false<BR /> source = stream</P> <P>[udp://9995]<BR /> connection_host = ip<BR /> source = stream<BR /> index = netflow<BR /> disabled = false</P> <P>/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf:<BR /> [streamfwd]<BR /> port = 8089<BR /> ipAddr = 127.0.0.1<BR /> netflowReceiver.0.ip = 127.0.0.1<BR /> netflowReceiver.0.port = 9995<BR /> netflowReceiver.0.decoder = netflow</P> <P>UDP 9995 and TCP 8089 are listening and working fine.</P> <P>I'm hitting walls here. I have no idea what's wrong or whats happening next.</P> <P>Unusually I get this in streamfwd.log:<BR /> 2019-08-11 11:16:35 ERROR <A href="CaptureServer.cpp:2210" target="_blank">140695607523072</A> stream.CaptureServer - Unable to ping server (19a246f1-d41e-472d-8de4-d42bcfc74f65): /en-US/app/splunk_app_stream/ping/ status=303</P> <P>I can confirm that /en-US/app/splunk_app_stream/ping/ does not exist... but I have installed from the tgz so I am not sure why it doesn't exist?</P> <P>Sorry, this is all over the place, as is my config, such is my desperation to get this working.</P> <P>Please help.</P> Wed, 30 Sep 2020 01:42:42 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442971#M77180 j_stock 2020-09-30T01:42:42Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442972#M77181 <P>check this blog post. It has a nice walkthrough setting up stream in a dist environment. <BR /> <A href="https://www.splunk.com/blog/2019/02/14/installing-and-managing-splunk-stream-in-a-distributed-environment.html">https://www.splunk.com/blog/2019/02/14/installing-and-managing-splunk-stream-in-a-distributed-environment.html</A> </P> Mon, 12 Aug 2019 01:23:31 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442972#M77181 diogofgm 2019-08-12T01:23:31Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442973#M77182 <P>Hi,</P> <P>Thanks for the blog post. I've read that in the past, but it doesn't really address much about netflow.</P> <P>Also, as the host is pfSense which runs on FreeBSD, the streamfwd binary doesn't run.</P> Mon, 12 Aug 2019 09:42:41 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442973#M77182 j_stock 2019-08-12T09:42:41Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442974#M77183 <P>Right, so I managed to get this working.</P> <P>/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf<BR /> [streamfwd]<BR /> logConfig = streamfwdlog.conf<BR /> port = 8889<BR /> ipAddr = 0.0.0.0</P> <P>netflowReceiver.0.interface = IP<BR /> netflowReceiver.0.protocol = udp<BR /> netflowReceiver.0.port = 9995<BR /> netflowReceiver.0.decoder = netflow</P> <P>/opt/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf<BR /> [streamfwd://streamfwd]<BR /> splunk_stream_app_location = <A href="https://localhost:443/en-us/custom/splunk_app_stream/" target="_blank">https://localhost:443/en-us/custom/splunk_app_stream/</A><BR /> stream_forwarder_id =<BR /> disabled = 0</P> <P>[udp://9995]<BR /> connection_host = ip<BR /> disabled = 0<BR /> index = stream<BR /> source = stream</P> <P>This is now allowing netflow to both be accepted and indexed correctly by Splunk_TA_stream with the flow being delivered by softflowd within pfSense.</P> <P>Hopefully this helps someone else down the line.</P> <P>Cheers</P> Wed, 30 Sep 2020 01:44:35 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/442974#M77183 j_stock 2020-09-30T01:44:35Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/526541#M88815 <P>This worked for me, thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194988">@j_stock</a>!</P> Mon, 26 Oct 2020 21:25:07 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/526541#M88815 dconnett_splunk 2020-10-26T21:25:07Z https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/550983#M91484 <P>Great - will give this a try later this week. I'm struggling with the same thing.</P><P>&nbsp;</P><P>Two questions:</P><P>(1) - How would that look like with a forwarder installed on another system then the indexer?</P><P>(2) - What would it take to have flow records accepted for both - UDP and TCP?</P><P>&nbsp;</P><P>Cheers - Will</P> Sun, 09 May 2021 07:24:17 GMT https://community.splunk.com/t5/Getting-Data-In/Configuring-Splunk-TA-stream-7-1-3-to-ingest-netflow-from/m-p/550983#M91484 NogNeetMachinaa 2021-05-09T07:24:17Z