Hi all,
I managed to retrieve netflow from my cisco firewall by using flowIntegrator and splunk. But the problem is : The netflow record that I get have missing fields like destination_addr. I copied the netflow data with key-value match that I retrieved below. Is there anyone have any idea about this issue? Any help is appreciated.
_sourcetype: flowintegrator
index: main
t_int: 30005
bytes: 0
host: 127.0.0.1
_cd: 1:63560
_serial: 0
fi_module: 50015
_si: ubuntu,main
date: Dec 13 11:49:23
splunk_server: ubuntu
linecount: 1
percent_of_total: 0
_indextime: 1355392163
denied_cnt: 1
username: na
created_cnt: 1
source: netflow
sourcetype: flowintegrator
_bkt: main~1~3984975D-B674-425B-B482-EA9629744985
_time: 2012-12-13T11:49:23.000+02:00
ipv4_src_addr: 31.13.72.7
_raw: Dec 13 11:49:23 ff:ff:00:01 fi_module=50015 ipv4_src_addr=31.13.72.7 username=na created_cnt=1 denied_cnt=1 bytes=0 percent_of_total=0 t_int=30005
The field for destination_addr is supported in another rule available in the latest beta for 2.0. You will need to register for it on our website: http://www.netflowlogic.com. If you have any additional questions or support requests, please see our support site at: https://netflowlogic.zendesk.com/home