Splunk Dev

Stream Addon setup with Netflow from Firewall

Crashfry
Path Finder

So I have followed the most basic steps to setup the Stream TA within our test environment which is a single deployment instance. Setup the TA and ran the permissions file which seemed to work fine with no errors. I moved the streamfwd.conf file into the local directory of the instance and used the local IP address, the port for receiving that Netflow will be pointing to as well as the source being Netflow data. Restart Splunk as it seems this is the basic setup for ingesting Netflow data that is being sent to the server. Is this a correct assumption? I notice though that the port that i'm assuming should be listening is not when running a netstat and I have seen a couple questions on here regarding this issue of the port not listening after configuration - what am i missing with this? Is there further configuration from the Splunk side to get this going?

Tags (1)
0 Karma
1 Solution

Crashfry
Path Finder

Got this working - instructions for the Stream application/addon are a bit confusing as you have to use portions of each of the setups to get this going.
Steps :
Run permissions
Copy the Streamfwd.conf to the local directory within the addon
Make configuration changes in the streamfwd.conf file for netflow
Configure the http_input file for netflow using the same configuration key as the streamfwd.conf
Enable netflow through the GUI in the stream app
Enable stream through the output file in the default directory.

Rough steps **

View solution in original post

0 Karma

Crashfry
Path Finder

Got this working - instructions for the Stream application/addon are a bit confusing as you have to use portions of each of the setups to get this going.
Steps :
Run permissions
Copy the Streamfwd.conf to the local directory within the addon
Make configuration changes in the streamfwd.conf file for netflow
Configure the http_input file for netflow using the same configuration key as the streamfwd.conf
Enable netflow through the GUI in the stream app
Enable stream through the output file in the default directory.

Rough steps **

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...