Deployment Architecture

Netscaler AppFlow Independent Forwarder

david2510
Engager

Hi,

I am attempting to get some analytics from the Netscaler into Splunk via an Independent Forwarder using AppFlow policies on the Netscaler.

I have followed this document to install and configure the Independent Forwarder:
https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/InstallStreamForwarderonindepe...

I then followed this one to setup the above Independent Forwarder so it could receive the IPFIX data from the Netscaler AppFlow policy:
https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoingestNetflowandIPF...

When I applied the Netscaler AppFlow policy to a virtual server data was not coming through. I tail -f the streamfwd.log and it was indicating that it did not have have the required templates to decode the netflow. I amended the template refresh interval on the Netscaler to 60 seconds and sure enough, not too long after that, the data was making its way into the specified index.

When I search the index where the data is going to (index="netscaler"), it seems the Netflow elements are not being decoded. I have basic information such as source ip and destination ip, but all other data, I suspect, is locked away under the netflow_elements: field, which contains no human readable data.

https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/ConfigureIPFIXinputs
This document says to set the source type to citrix:netscaler:ipfix, and i did on the httpinput inputs.conf, but this appears to have no effect, as the source on the aforementioned events is simply stream:netflow.

Any assistance would be greatly appreciated.

Regards,
David

Labels (1)
0 Karma

NetFlow_Logic
Contributor

David,

Another alternative to ingest Netscaler AppFlow (IPFIX) into Splunk is with our product - NetFlow Optimizer (We are Splunk Technology Partner). You can download it and get 60 day free license by visiting https://www.netflowlogic.com/downloads/register-form/

Please contact us directly at trials@netflowlogic.com if you have any questions or need help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...