I tried to install the NWM app in Splunk enterprise , managed to download the xml profile in the anyconnect client pointing to the Splunk Ip Address, but i cant see packets going on the port I specified 2055.
It looks like the collector never received the netflow templates from your client. This is possible if you had your client configured and running before the collector was started. The collector needs to receive the netflow templates in order to process the netflow records from the endpoint.
Try restarting the nvmagent service on your client or make some changes to your NVM client profile (and revert it back to the right settings). The template is sent from the client when one of the following events occur:
1. There is a change in the NVM profile
2. There is a network change event
3. The nvmagent service is restarted.
Thanks,
Everything seems to be working now, splunk seems to be amazing but every app seems to be configured different , im working on all the cisco security apps, I Installed for Firesight and for cisco ASA but theres no different tab for those like in NVM, is there a easy way to go?
Hi,
Splunk is an amazing tool as you note. NVM will remain as a separate offering from those other tools.
Hello team,.
I've the following topology:
PC with Cisco Anyconnect configured with NVM ------ Collector ------ Splunk Enterprise with NVM addon
Now, everything is working fine from Wiresahrk perspective, I'm receiving flows on collector, and collector send it to Splunk enterprise.
Issue is, that on splunk, I can't see anything on dashboards, why?
One more thing: the captured data on Splunk server appears with SRC IP of the VPN client, and DST IP is the collector..why?
And, why i can't capture traffic destined to 20519 and 20520 on Splunk server? I capture only the traffic as mentioned above destined to port 2055
It looks like the collector never received the netflow templates from your client. This is possible if you had your client configured and running before the collector was started. The collector needs to receive the netflow templates in order to process the netflow records from the endpoint.
Try restarting the nvmagent service on your client or make some changes to your NVM client profile (and revert it back to the right settings). The template is sent from the client when one of the following events occur:
1. There is a change in the NVM profile
2. There is a network change event
3. The nvmagent service is restarted.
Hello team,.
I've the following topology:
PC with Cisco Anyconnect configured with NVM ------ Collector ------ Splunk Enterprise with NVM addon
Now, everything is working fine from Wiresahrk perspective, I'm receiving flows on collector, and collector send it to Splunk enterprise.
Issue is, that on splunk, I can't see anything on dashboards, why?
One more thing: the captured data on Splunk server appears with SRC IP of the VPN client, and DST IP is the collector..why?
And, why i can't capture traffic destined to 20519 and 20520 on Splunk server? I capture only the traffic as mentioned above destined to port 2055
Thank you ,
I Installed this collector in a Kali Linux Box i had and i keeps showing me that message
no templates for flowset 258 , the exporter is my ip address in anyconnect, i dont know if i supposed to use another centos box, the conf file is configured to send the syslog to the right ip address but there s no info there
Hi edufernandez2,
Did you install the collector ? The collector is a daemon service that needs to be installed on the server that your client profile is pointing to. The instructions to install the collector are available under the "Help>Install Guide" section on the Splunk App.
Also, please note that the collector can only be installed on Linux 64 bit machines.
-Vijay
Hi,
There are a few things you need to do.
AnyConnect:
The client will only send IPFIX (nvzFlow) when it has determined that it is on a trusted network.
Install and configure the Splunk App. In the install directory is the IPFIX(nvzFlow)-to-syslog component, that you need to manually install on a Linux 64 bit system.
Reboot the AnyConnect client after completing both steps and verify with a tool such as Wireshark, that you are seeing IPFIX(nvzFlow) packets leaving the device on the configured port.