Missing Netflow from Cisco ASA5505

michaelslab · ‎02-13-2016

All, The documentation is scattered in various places and not one place. Help. This should be simple and not hard to do. Can someone send me to the documentations for this on Cisco ASA5505

NetFlow_Logic · ‎02-23-2016

NetFlow Analitics for Splunk App v3.5.17 requires Technology Add-on for NetFlow (TA-netflow) to be installed as well. To download TA-netflow please visit https://splunkbase.splunk.com/app/1838/

NetFlow Analitics for Splunk App v3.5.21 and above has TA bundled with the App, so you should either install TA with v3.5.17 or upgrade the App to v3.5.21.

I hope this resolves the issue.

Richfez · ‎02-14-2016

Hi,

From what I can see with a quick search on integrating the ASA's NetFlow with Splunk, there are three main steps.

First, enable and configure NetFlow on your ASA as per the netflow docs from Cisco. Have you done this? This is outside the scope of Splunk (and frankly looks fairly complicated, but that's Cisco fault, not Splunk's fault). If I have it right, you should point your doohickey (flow_export_host1?) in this piece of configuration: flow-export event-type event-type destination flow_export_host1 : to your Splunk (or syslog!) instance.

Second, install a Splunk app (like the NetFlow Analytics) in Splunk. This is pretty straightforward, should just be a couple of clicks. Are you using a distributed Splunk environment or single all-in-one box?

Third, configure the input (again the single vs. distributed question comes up) so that your NetFlow you configured in Step 1 above actually gets to your Splunk indexer in a way that the app sees it. This is on page 8 of the NetFlow_Analytics manual. It also looks fairly straightforward, though if you are new to Splunk I can see how it could involve a bit of head scratching - I'm sure we'd be happy to help if we knew that this portion is the problem. BTW, I'd recommend setting up a syslog-ng server (perhaps even on your Splunk box!) and using that instead of reading the network packets directly in Splunk, more info here but it's on rsyslog)

So, which step of the above is the one that doesn't seem to work? Or, did the link I supplied to the app and to the app's instructions help a lot?

Looking to hear back from you on this!

michaelslab · ‎02-17-2016

I have this installed on A Windows Server 2012 R2 box. The firewall on the server where Splunk is installed is off.
I installed Splunk on the same box. I do not need a complex Splunk Install everything lives in one place.

The Cisco part is easy for me. What port is it supposed to listen on. Im sending data to 9995 but that port is not listening neither are any of the Splunk ports

Below are the Apps Installed

Richfez · ‎02-18-2016

As per the linked NetFlow_Analytics manual on page 5, it's... well, frankly it's not very clear what to do. They do mention that you have to download a free trial of the NetFlow Integrator. They go on more about this on page 6, too. I don't know how important that is or what role it plays.

BUT, something I do know is they specifically talk about listening on some port for syslog on page 9. That's easy enough, you can follow along at the docs to tell Splunk (just your regular install, I don't think you need to do anything with universal forwarders at this point) to listen to a network port. You could use the standard UDP 514 or use a different port number like 10514 or something. NOTE that in the wizard you'll have to tell it the sourcetype and index settings that you can get from page 9.

Then, tell your device to send that syslog on the port you picked, give it a few minutes and see if you can search it.

michaelslab · ‎02-18-2016

So I received the Netflow logics license today and I can see flows coming in. On the Netflow Logics, the input flow port is set UDP 9995 and it sees 20 flows per second. I pointed the output of netflow Logics to Splunk on port 10514 UDP 3000 syslogs and counting.

Still I see no data in Splunk yet on the Netflows.

Richfez · ‎02-25-2016

GREAT, you seem to have the other side of the equation set up now.

So, what's going on with Splunk? You say "port 10514 UDP 3000 syslogs and counting" which I take to mean you have something (Splunk?) listening on UDP port 10514 for syslog, and it or something has received 3000 events or log entries. By what mechanism (precisely!) are you seeing that there's 3000 somethings? Or is this just the source device reporting it's dumped 3000 syslog packets somewhere?

Anyway. If you believe you have Splunk listening on port 10514 UDP and may have stuff coming in there, yet you don't see anything in the Netflow apps, then please carefully check through ALL the instructions. There's a very specific sourcetype and other things that needs to be set. If those aren't set then the data will NOT display where you want it to display! Splunk, SQL, grep - if your searches are for "where billybobnumber>100" or "sourcetype=XYZ", then if billybobnumber isn't greater than 100 or if sourcetype doesn't equal XYZ, well then you won't see it.

You can possibly check some of this with something like a wide-open search and then checking through the returned events for hosts or sourcetypes, something like index=* over a short timespan.

Missing Netflow from Cisco ASA5505

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life