All Apps and Add-ons

Need Assistance with Netscaler v11 Appflow

jodros
Builder

We recently upgraded our netscalers from v10 to v11. Soon after our heavy forwarder running the Splunk_TA_IPFIX_UDP_NIX app started running very high memory. We were also dropping 95%+ appflow data. I started researching and upgraded our Splunk Netscaler app and TA to 5.x on the heavy forwarder. The Splunk_TA_ipfix was really the only component that needed to be upgraded, but I thought since I was upgrading one, I would do both.

I am now receiving appflow data again, but it appears that the format has changed. I no longer see fields such as "Address" which used to indicate which netscaler host the log referenced. I also no longer see a timestamp in the log. I do not know if this these log format changes are due to switching to a modular input for receiving appflow or not.

Any assistance with v11 appflow would be appreciated.

Thanks

jodros
Builder

I have been researching and don't know if it is an update to the field names in the IPFIX logs from Netscaler v11 or the difference in the way our Splunk instance is receiving the IPFIX data. Here are some examples of the differences in the log formats:

Splunk_TA_ipfix format:
TimeStamp="2015-11-18T02:37:12"; Template="258"; Observer="0"; Address="10.36.72.60"; Port="36010"; observationPointId="1"; exportingProcessId="0"; flowId="431021945"; transactionId="147769152"; connectionId="431021945"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="52566"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="692"; tcpControlBits="24"; flowFlags="67239936"; flowStartMicroseconds="1447835832.015953"; flowEndMicroseconds="1447835833.014935"; ingressInterface="2"; egressInterface="2147483651"; appNameAppID="10348"; appUnitNameAppId="0"; httpResponseForwardTimeToFB="0"; httpResponseForwardTimeToLB="0"; httpRequestUrl="/include/ethicsline/telephone3.png"; httpRequestCookie="cookie=monster"; httpRequestReferer="http://inet.alfains.com/bodyho.asp"; httpRequestMethod="GET"; httpRequestHost="inet.alfains.com"; httpRequestUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; httpContentType=""; httpRequestAuthorization=""; httpRequestVia=""; httpRequestXForwardedFor="";

IPFIX Modular Input format:
Sequence="433229920"; Template="258"; observationPointId="1"; exportingProcessId="0"; flowId="448691141"; netscalerTransactionId="154465949"; netscalerConnectionId="448691141"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="54403"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="421"; tcpControlBits="24"; netscalerFlowFlags="67243008"; flowStartMicroseconds="1448037395.930212975"; flowEndMicroseconds="1448037395.930212975"; ingressInterface="2"; egressInterface="2147483651"; netscalerAppNameAppId="10348"; netscalerAppUnitNameAppId="0"; netscalerHttpResForwFB="-2208988800.000000000"; netscalerHttpResForwLB="-2208988800.000000000"; netscalerHttpReqUrl="/favicon.ico"; netscalerHttpReqCookie="cookie=monster"; netscalerHttpReqReferer=""; netscalerHttpReqMethod="GET"; netscalerHttpReqHost="inet.alfains.com"; netscalerHttpReqUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; netscalerHttpContentType=""; netscalerHttpReqAuthorization=""; netscalerHttpReqVia=""; netscalerHttpReqXForwardedFor="";

Also Netscaler v11 allows for more information to be exported in the IPFIX appflow log.

0 Karma

jodros
Builder

I have upload a screenshot but it is not displaying in the post.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...