Getting Data In

Netflow app not retrieving any data

omgemeasts
Engager

I am sure this is probably a very simple issue however I am not seeing what the problem is.

I have install the app Splunk for Netflow, it's a 32bit OS so I have changed the two files required to let this work on the 32 bit OS. I have also installed nfdump. I can go to the app's page but simply tells me "No results found" on any time line, I have also run nfdump from the command line and I see no data coming in;

root@syslog-server:~# nfdump
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows

So from this I am going to presume it's not a problem with the netflow app but a problem with getting the data.

Here is my 6509 config;

ip flow ingress layer2-switched vlan 1-50
ipv6 mfib hardware-switching replication-mode ingress
no mls acl tcam share-global
mls aging long 64
mls aging normal 64
mls netflow interface
mls flow ip interface-full
mls nde sender version 5

ip flow-export source Vlan5
ip flow-export version 5
ip flow-export destination 1.1.1.9 9996
ip flow-export destination 1.1.1.7 9996

So from what I can see everything is correct and even this command shows data is being sent;

EMEA-IDC-6509-1#sh ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.2.5 (Vlan5)
Source(2) 1.1.2.5 (Vlan5)
Destination(1) 1.1.1.9 (9996)
Destination(2) 1.1.1.7 (9996)
Version 5 flow records
3824923447 flows exported in 127497449 udp datagrams

Do anyone know any other ways to debug my issue? Everything I have read on the internet shows simply installing the app and nfdump worked for them after their router was configured correctly so finding other people with similar issues as mine hasn't showed any results.

Tags (1)
0 Karma

Spelunke
Path Finder

Please check with wireshark or tcpdump if you can see any flows on the server.

0 Karma

omgemeasts
Engager

One last thing, maybe it's because splunk is running as root and not as the spunk user? I think this needs to be resolved but then again, doesn't explain why nfdump isn't seeing anything so that's probably still not the reasons

0 Karma

omgemeasts
Engager

Yes I can; netcat -u ip_address 9996 connects though I cannot see it in netstat so I think NetFlow is ok, and this is a Debian OS issue. I think I best take this question to another forum

Thanks for everyone's help, hopefully I can resolve this

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Can you telnet to the Splunk server on that port? If so, then there is nothing wrong on our side. Is there anything in between that is blocking the connection?

0 Karma

omgemeasts
Engager

I am going to guess that I should be able to see packets if I run nfdump manually from the console, so as I am not, it's probably not a problem with Slunk or the Netflow app, but either with my switch sending the data or my server receiving them

0 Karma

omgemeasts
Engager

Hmm still no data

0 Karma

omgemeasts
Engager

Ah this is a good point, ok I have done this, I will wait for a few minutes to see if this fixes the problem. And dmaislin_splunk I have read that, made the change to sourcetype to = netflow but still not seeing any data, will give it a few more minutes

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee
0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

The app relies on the sourcetype=netflow

0 Karma

omgemeasts
Engager

You assume correct. Only thing I can really notice about it is the fact the source type is syslog, not sure if that matters??

UDP port Source type Status Actions
514 syslog Disabled | Enable Clone | Delete
9996 syslog Enabled | Disable Clone | Delete

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

And I assume you went to Manager / Data Inputs / UDP and enabled port 9996

0 Karma

omgemeasts
Engager

Yes here it is

[nfcapd]
UDP port to listen for incoming netflow.
port = 9996

And on my 6509

ip flow-export destination 1.1.1.7 9996
0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Look in the config.ini in the default directory of the app. Either you need to allow Splunk to receive Netflow data via UDP on port 9995 or any port you decide to change it to in the config file.

[nfcapd]
# UDP port to listen for incoming netflow.
port = 9995
0 Karma

omgemeasts
Engager

Maybe this is not the right forum to ask this question and should ask on a more OS based forum...?

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...