I am sure this is probably a very simple issue however I am not seeing what the problem is.
I have install the app Splunk for Netflow, it's a 32bit OS so I have changed the two files required to let this work on the 32 bit OS. I have also installed nfdump. I can go to the app's page but simply tells me "No results found" on any time line, I have also run nfdump from the command line and I see no data coming in;
root@syslog-server:~# nfdump
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
So from this I am going to presume it's not a problem with the netflow app but a problem with getting the data.
Here is my 6509 config;
ip flow ingress layer2-switched vlan 1-50
ipv6 mfib hardware-switching replication-mode ingress
no mls acl tcam share-global
mls aging long 64
mls aging normal 64
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
ip flow-export source Vlan5
ip flow-export version 5
ip flow-export destination 1.1.1.9 9996
ip flow-export destination 1.1.1.7 9996
So from what I can see everything is correct and even this command shows data is being sent;
EMEA-IDC-6509-1#sh ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.2.5 (Vlan5)
Source(2) 1.1.2.5 (Vlan5)
Destination(1) 1.1.1.9 (9996)
Destination(2) 1.1.1.7 (9996)
Version 5 flow records
3824923447 flows exported in 127497449 udp datagrams
Do anyone know any other ways to debug my issue? Everything I have read on the internet shows simply installing the app and nfdump worked for them after their router was configured correctly so finding other people with similar issues as mine hasn't showed any results.
Please check with wireshark or tcpdump if you can see any flows on the server.
One last thing, maybe it's because splunk is running as root and not as the spunk user? I think this needs to be resolved but then again, doesn't explain why nfdump isn't seeing anything so that's probably still not the reasons
Yes I can; netcat -u ip_address 9996 connects though I cannot see it in netstat so I think NetFlow is ok, and this is a Debian OS issue. I think I best take this question to another forum
Thanks for everyone's help, hopefully I can resolve this
Can you telnet to the Splunk server on that port? If so, then there is nothing wrong on our side. Is there anything in between that is blocking the connection?
I am going to guess that I should be able to see packets if I run nfdump manually from the console, so as I am not, it's probably not a problem with Slunk or the Netflow app, but either with my switch sending the data or my server receiving them
Hmm still no data
Ah this is a good point, ok I have done this, I will wait for a few minutes to see if this fixes the problem. And dmaislin_splunk I have read that, made the change to sourcetype to = netflow but still not seeing any data, will give it a few more minutes
The app relies on the sourcetype=netflow
You assume correct. Only thing I can really notice about it is the fact the source type is syslog, not sure if that matters??
UDP port Source type Status Actions
514 syslog Disabled | Enable Clone | Delete
9996 syslog Enabled | Disable Clone | Delete
And I assume you went to Manager / Data Inputs / UDP and enabled port 9996
Yes here it is
[nfcapd]
UDP port to listen for incoming netflow.
port = 9996
And on my 6509
ip flow-export destination 1.1.1.7 9996
Look in the config.ini in the default directory of the app. Either you need to allow Splunk to receive Netflow data via UDP on port 9995 or any port you decide to change it to in the config file.
[nfcapd]
# UDP port to listen for incoming netflow.
port = 9995
Maybe this is not the right forum to ask this question and should ask on a more OS based forum...?