I have a fresh install of splunk and the only App I loaded is the Netflow integrator 3.1. I can see the port listening (UDP:11514) and I can see traffic come into the port on a tcpdump but the Index has no data. NF Integrator says it supports v9 input but I don't know if a change to a tranform or soemthing is required, or if it just knows. Either way, something isn't working right and the data isn't getting to the Index and/or App.
The only thing I see is the follwoing in the log /opt/splunk/etc/apps/netflow/logs/netflow_keep-alive.log:
2012-12-15 21:27:48,451 WARNING NetFlow Integrator Server installation not found!
This occurs every minute. I have bounce splunk multiple times and the app shows 'enabled' in the App manager. The port is listening. Any thoughts?
is this right?
I have a 64-bit linux splunk server
the steps that i did after downloading netflow app:
1.install the app to splunk v5 server
2.push syslog to splunk using port 9995
3.create a data input in splunk web, UDP 11514
We are currently working on support for Palo Alto Networks - if you can send us an email to email@example.com I can log a feature enhancement on your behalf. It would also be great to capture any specific use cases for how you want to visualize the data.
I am going to ask a new question seeing as this is not the same issue as me. For those following, it will be "Palo Alto's Netflow data not showing up in Splunk 5.0.1 via Netflow Integrator 3.1"
Interesting. I would think you could just download the tarball and put it in there yourself but I am not familiar enough with BSD to tell you if the binary in it will run. They only have linux 32, 64, and windows binaries.
Our app listens for incoming NetFlow on the default port of 9995. Once received, we convert the binary NetFlow data into syslog format and send it to the local Splunk UDP data input on port 11514. Double check the settings in the app under Splunk > NetFlow for Splunk > NetFlow Integrator Server Configuration to ensure the port is set to 9995. Also verify that your device (NetFlow Exporter) is also sending to 9995.
I have not seen this particular issue before; can you send me an ls -a output to firstname.lastname@example.org for the following:
Thanks for the feedback jtc242. I can see the 2 Scripts in the inputs but I don't have a directory for the flow integrator as the app is expecting. It looks to me like the full install did not work. I am not running a SELinux version but rather FreeBSD. To complicate it even more, I am running Splunk inside a Jail. Because I am running this in a jail, I don't have different users for the applications (ie. Splunk, apache, etc). Everything is run under root as this is personal sandbox environment and root on a jail is isolated to that jail. I have loaded a few other Apps with no issues. I think I just need to manually install the Flow Integrator Server portion and this will work. Any feedback on logs to check to help isolate the issue would be helpful.
It isn't a separate app. The integrator is put into /opt/splunk/etc/apps/netflow/bin/flowintegrator_linux32 (or similiar) There are two scripts that are in Splunk >Manager >Data inputs > Script that kick it off. You may have a permissions issue or maybe SELinux could be interfering. My issue is different but thought it may be in the same vein.
Well, I don't see a separate app for just the Netflow Integrator Server. I guess I am at a loss right now on how to get the netflow portion of this as I seem to have the Syslog conversion listener.
Ok. I think the part I missed is that the Netflow for Splunk app does not appear to load the Netflow Integrator Server app as well. This is why I only saw the port UDP:11514 listening. When I go to the Splunk > NetFlow for Splunk > NetFlow Integrator Server Configuration
I saw this:
/opt/splunk/etc/apps/netflow/bin/flowintegrator_others/bin/flowintegrator: not found
Working on getting the flow integrator now to resolve. I am new to the apps so I must have missed something.
I did confirm the configuration... and here is controller.log
Waiting for server to connect...
Start up configuration complete
Scheduler> quit (delay 10 sec.)
nfc server shows data like this
12-29 15:01:55.993 RX: 194270 (9/s) WT: 4264867 (216/s) TX: 0 (0/s) drop: w: 11
and keep alive
2012-12-29 15:02:19,047 INFO NetFlow Integrator is running (PID: 13191).
netflow controller log is empty
Sorry to hijack but I am seeing the same thing and was wondering if this was resolved. I can sniff traffic coming into port 9995 but don't see anything on port 11514 on the loopback. I tried changing 11514 to be on eth0 instead of lo just to try but still not seeing data. I did notice that the controller only runs for a short time and then quits. Is that normal behavior? I am running centos 5.5 32bit and using splunk 5.0.1 and 3.1 of you app. Netflow is being sent from a Palo Alto box