Solved: How can I index Netflow logs?

khanlarloo · ‎12-04-2017

Hi,
I want to send my router's Netflow logs to Splunk.
How can I do that?
I installed Splunk in Linux Centos 7 and installed the Splunk Add-on for NetFlow, but my logs still don't show in Splunk.

nickhills · ‎12-04-2017

Take a look at Splunk Stream - its a far more robust way of collecting the data (and lots more)!
https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/ConfigureFlowcollector

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎12-04-2017

Take a look at Splunk Stream - its a far more robust way of collecting the data (and lots more)!
https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/ConfigureFlowcollector

If my comment helps, please give it a thumbs up!

khanlarloo · ‎12-04-2017

should i install netflow programm to collect my data and then send them to splunk?

nickhills · ‎12-04-2017

If you install Splunk TA Stream on a Heavy Forwarder you have all the components you need.

From the doc above:
edit

[streamfwd]
netflowReceiver.0.ip = <your hvy fwd ip>
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

then configure your network devices to send netflow to <your hvy fwd id> :9995

If my comment helps, please give it a thumbs up!

gjanders · ‎12-04-2017

Depending on the volume of traffic you may want to install the independent stream forwarder...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

khanlarloo · ‎12-09-2017

tanx i do it and it works

How can I index Netflow logs?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?