How can I index Netflow?

1	I want to be able to search netflow data to find suspicious conversations (i.e. someone opening a connection and closing it right away). Is there a way to get a netflow feed into Splunk? netflow asked 29 Jun '10, 15:35 Dan ♦ 784●2●3●17 accept rate: 33%

2 Answers:

oldest newest most voted

5	Yes. http://www.splunk.com/wiki/Apps:TrafficFlows link answered 29 Jun '10, 17:22 rayfoo 178●1●1●10 accept rate: 12%

Netflow data is binary and, even though you could splunk it like that, it would not be useful in that form inside your Splunk GUI while searching. Therefore, the flow will need to be converted to humanly-readable text first via some NetFlow-2-Text converter, such as the ones mentioned at the "TrafficFlows" link provided in the previous answer.

Once converted to text, however, you could then easily setup Splunk to listen on any open tcp or udp port for incoming converted flow streams and just send the it directly to that port and SPlunk will index it in real time.

link

answered 18 Aug '10, 13:59

maverick ♦
2.6k●6●5●75
accept rate: 14%

See this link for the Splunk for Netflow App: http://splunkbase.splunk.com/apps/All/4.x/app:Splunk+for+NetFlow

(18 Mar '11, 02:33) maverick ♦

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

netflow ×15

Asked: 29 Jun '10, 15:35

Seen: 2,138 times

Last updated: 18 Aug '10, 13:59

How can I index Netflow?

Follow this question

Splunk Resources

Related questions