All Apps and Add-ons

Netflow Integrator 3.1 and Splunk 5.0.1 not showing Netflow v9 data

Engager

I have a fresh install of splunk and the only App I loaded is the Netflow integrator 3.1. I can see the port listening (UDP:11514) and I can see traffic come into the port on a tcpdump but the Index has no data. NF Integrator says it supports v9 input but I don't know if a change to a tranform or soemthing is required, or if it just knows. Either way, something isn't working right and the data isn't getting to the Index and/or App.

The only thing I see is the follwoing in the log /opt/splunk/etc/apps/netflow/logs/netflow_keep-alive.log:
2012-12-15 21:27:48,451 WARNING NetFlow Integrator Server installation not found!

This occurs every minute. I have bounce splunk multiple times and the app shows 'enabled' in the App manager. The port is listening. Any thoughts?

0 Karma

Contributor

All previously existing versions of NetFlow Logic Splunk apps have been merged into one NetFlow for Splunk by NetFlow Logic App. See this link http://apps.splunk.com/app/489/

0 Karma

Engager

is this right?
I have a 64-bit linux splunk server
the steps that i did after downloading netflow app:

1.install the app to splunk v5 server
2.push syslog to splunk using port 9995
3.create a data input in splunk web, UDP 11514
4.restart splunkd

Contributor

Step 2 should be: configure your network device to send NetFlow data on UDP to port 9995.

If you need firther assistance please contact support at: https://netflowlogic.zendesk.com/home

Path Finder

Hi jtc242,

We are currently working on support for Palo Alto Networks - if you can send us an email to support@netflowlogic.com I can log a feature enhancement on your behalf. It would also be great to capture any specific use cases for how you want to visualize the data.

Thanks!

0 Karma

New Member

I am going to ask a new question seeing as this is not the same issue as me. For those following, it will be "Palo Alto's Netflow data not showing up in Splunk 5.0.1 via Netflow Integrator 3.1"

0 Karma

New Member

Interesting. I would think you could just download the tarball and put it in there yourself but I am not familiar enough with BSD to tell you if the binary in it will run. They only have linux 32, 64, and windows binaries.

0 Karma

Path Finder

Our app listens for incoming NetFlow on the default port of 9995. Once received, we convert the binary NetFlow data into syslog format and send it to the local Splunk UDP data input on port 11514. Double check the settings in the app under Splunk > NetFlow for Splunk > NetFlow Integrator Server Configuration to ensure the port is set to 9995. Also verify that your device (NetFlow Exporter) is also sending to 9995.

Path Finder

I have not seen this particular issue before; can you send me an ls -a output to support@netflowlogic.com for the following:

/splunk/etc/apps/netflow

and

/splunk/etc/apps/netflow/flowintegrator_linux32

0 Karma

Engager

Thanks for the feedback jtc242. I can see the 2 Scripts in the inputs but I don't have a directory for the flow integrator as the app is expecting. It looks to me like the full install did not work. I am not running a SELinux version but rather FreeBSD. To complicate it even more, I am running Splunk inside a Jail. Because I am running this in a jail, I don't have different users for the applications (ie. Splunk, apache, etc). Everything is run under root as this is personal sandbox environment and root on a jail is isolated to that jail. I have loaded a few other Apps with no issues. I think I just need to manually install the Flow Integrator Server portion and this will work. Any feedback on logs to check to help isolate the issue would be helpful.

0 Karma

New Member

It isn't a separate app. The integrator is put into /opt/splunk/etc/apps/netflow/bin/flowintegrator_linux32 (or similiar) There are two scripts that are in Splunk >Manager >Data inputs > Script that kick it off. You may have a permissions issue or maybe SELinux could be interfering. My issue is different but thought it may be in the same vein.

0 Karma

Engager

Well, I don't see a separate app for just the Netflow Integrator Server. I guess I am at a loss right now on how to get the netflow portion of this as I seem to have the Syslog conversion listener.

0 Karma

Engager

Ok. I think the part I missed is that the Netflow for Splunk app does not appear to load the Netflow Integrator Server app as well. This is why I only saw the port UDP:11514 listening. When I go to the Splunk > NetFlow for Splunk > NetFlow Integrator Server Configuration

I saw this:

/opt/splunk/etc/apps/netflow/bin/flowintegrator_others/bin/flowintegrator: not found

Working on getting the flow integrator now to resolve. I am new to the apps so I must have missed something.

0 Karma

New Member

I did confirm the configuration... and here is controller.log
Waiting for server to connect...
Success
Start up configuration complete
Scheduler> quit (delay 10 sec.)

nfc server shows data like this
12-29 15:01:55.993 RX: 194270 (9/s) WT: 4264867 (216/s) TX: 0 (0/s) drop: w: 11

and keep alive
2012-12-29 15:02:19,047 INFO NetFlow Integrator is running (PID: 13191).

netflow controller log is empty

0 Karma

New Member

Sorry to hijack but I am seeing the same thing and was wondering if this was resolved. I can sniff traffic coming into port 9995 but don't see anything on port 11514 on the loopback. I tried changing 11514 to be on eth0 instead of lo just to try but still not seeing data. I did notice that the controller only runs for a short time and then quits. Is that normal behavior? I am running centos 5.5 32bit and using splunk 5.0.1 and 3.1 of you app. Netflow is being sent from a Palo Alto box

0 Karma