How do you collect NetFlow events over the syslog protocol so you can analysis them with a tool like Log Insight? That is the question I would like to answer in this post!
What is NetFlow?
From Wikipedia:
NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information.
Is configuring syslog on network devices enough?
It depends on requirements. What is important to keep in mind is that while some NetFlow information is available in syslog events, in general the information is different. Syslog handles system events and auditing, while NetFlow has disparate understanding of packets being sent and received.
How does one collect NetFlow events?
From a NetFlow collector. This is similar to how you collect syslog events with a syslog collector. Several NetFlow collectors are available and many are open source. Some examples include: NTop, Flow-tools, FlowScan, EHNT, BPFT, and NfSen.
How does one send NetFlow events over syslog?
Several options available here:
- If NetFlow events are collected and stored on a filesystem that has a syslog agent then the syslog agent can be configured to monitor the directories or files that contain NetFlow information. For more information on monitoring directories and files with a syslog agent see these posts: https://sflanders.net/2013/10/22/syslog-agents-linux/ and https://sflanders.net/2013/10/25/syslog-agents-windows/.
- Use an open-source NetFlow collector that supports syslog. NTop is an example of such a collector and can be run like:
ntop --daemon --use-syslog
and
ntop --daemon --use-syslog=local3
for more information, see the ntop man page.
- Use an enterprise NetFlow collector. An example of such a collector would be the NetFlow Integrator provided by NetFlow Logic. NetFlow Logic will soon have a Log Insight content pack available (coming soon link here) with predefined knowledge of syslog events sent from its NetFlow Integrator product.
© 2013, Steve Flanders. All rights reserved.