This technology add-on collects any *flow data, including cloud flow logs, processed by NetFlow Optimizer™ (NFO) software. It could be deployed in your Splunk Enterprise or Splunk Cloud environments.
NFO supports NetFlow v5, v9, sFlow, J-Flow, IPFIX, Cisco ASA NSEL, Cisco HSL, Cisco AVC, Palo Alto Networks NetFlow, Amazon AWS VPC Flow Logs, Azure NSG Flow logs, Google VPC Flow logs
This data is then visualized by Netflow Analytics for Splunk App
(https://splunkbase.splunk.com/app/489/)
or by Splunk App for Enterprise Security
(https://splunkbase.splunk.com/app/263/).
Download your free 60 day NetFlow Optimizer trial at https://www.netflowlogic.com/download/
Technology Add-on for Netflow relies on flow data processed by NetFlow Optimizer and enables you to analyse it using Splunk® Enterprise or Splunk Cloud.
It provides CIM compliant field names, eventtypes and tags for NetFlow Optimizer data.
The Add-on can also be used to generate sample events for testing purposes, it contains samples of netflow data and config files for the event generator.
Setup after installation - Splunk Enterprise:
- The TA-netflow is expecting that the sourcetype of events sent from Netflow Optimizer would be set to "flowintegrator". To set it up please create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file, and add the following lines to it:
[udp://10514]
sourcetype = flowintegrator
- By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, please create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file, and add the following lines to it:
[flowintegrator]
homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/db
coldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddb
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb
You also need to make sure your $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file contains the following:
[udp://10514]
sourcetype = flowintegrator
index = flowintegrator
Restart splunk for the configuration changes to take effect.
Setup after installation - Splunk Cloud:
- Set up the forwarding to your Cloud Instance, the recommended method can be found here:
https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/HowtoforwarddatatoSplunkCloud
- The TA-netflow is expecting that the sourcetype of events sent from Netflow Optimizer would be set to "flowintegrator". To set it up, on the UF forwarding to the Splunk Cloud please create the $SPLUNK_UF_ROOT/etc/system/local/inputs.conf file if it does not exist, and add the following lines to it:
[udp://10514]
sourcetype = flowintegrator
- [Optional] By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, please create the index based on these instructions:
https://docs.splunk.com/Documentation/SplunkCloud/latest/User/Manageindexes
On the UF forwarding to the Splunk Cloud please create the $SPLUNK_UF_ROOT/etc/system/local/inputs.conf file if it does not exist, and add the following lines to it, assuming that the new index was named flowintegrator:
[udp://10514]
sourcetype = flowintegrator
index = flowintegrator
Further documentation can be found at:
NetFlow Analytics for Splunk User Manual
To contact NetFlow Logic support, please visit: NetFlow Logic Support page
