Archive

Collect Appflow information for netscaler

Path Finder

I have configured netscaler to to send logs over to splunk. I am receiving audit logs to splunk. I have used IPFIX addon to collect appflow logs from my netscaler, I have configured appflow collectors, actions and policies, but i am not able to receive any appflow information to my splunk instance. I am getting the below message in /opt/splunk/var/log/splunk/ipfix.log

CRITICAL pid=94058 tid=MainThread file=ModInput.py:stream_events:107 | Unable to bind [ipfix://appflow] XX.XX.XX.XX:1515
2018-04-12 09:27:16,368 CRITICAL pid=94058 tid=MainThread file=event_writer.py:log:120 | Traceback (most recent call last): ||   File "/opt/splunk/etc/apps/Splunk_TA_ipfix/bin/splunklib/modularinput/script.py", line 74, in run_script ||     self.stream_events(self._input_definition, event_writer) ||   File "/opt/splunk/etc/apps/Splunk_TA_ipfix/bin/IPFIX/ModInput.py", line 105, in stream_events ||     s.bind((bind_host, bind_port)) ||   File "/opt/splunk/lib/python2.7/socket.py", line 228, in meth ||     return getattr(self._sock,name)(*args) || error: [Errno 99] Cannot assign requested address

my ipfix inputs.conf is as below

[ipfix://appflow]
address = XX.XX.XX.XX
buffer = 10485760
index = netscaler
port = 1515
interval = 300

I am getting data when i search for

sourcetype="citrix_netscaler"

I have audit logs coming on port 1514, Appflow is configured on 1515.
I have no information coming when I run the command

netstat -an | grep 1515

Any help is greatly appreciated.

Thank you.

0 Karma