All Apps and Add-ons

Problems receiving Netflow from ASA

ronaldnutter
Engager

It has got to be something simple. I have been trying for 3 days to get Netflow from my ASA to Splunk. I have tried 3 different OS's (windows and linux). I have verified that whatever OS I am using has the firewall disabled. I have tried multiple udp ports but never see any Netflow data coming from the ASA.

According to various show commands on the ASA, it claims to be sending it. When I run wireshark on the same machine as Splunk, I can see the Netflow packet arriving. When I delete the UDP listener, I see the packet get rejected. When the listener is present, I dont see the packet get rejected. When I do a search in Splunk, I NEVER see the UDP listener show anything for the UDP port that I am sending Netflow on to Splunk.

In my way of thinking, I have to see the traffic show up when doing a App->Search before it will do any good at setting up the combinations of apps that it appears that I will need to translate Netflow v9 that the ASA uses to a format that another app to see what is going on. I know that the listener process is working because I can see SYSLOG data come from the same ASA and not have any problems.

Because of the amount of time that I have spent on this with nothing to show for it, Management is pushing me to drop the project. My only other option is to get SolarWinds which is overpriced as far as I am concerned. I have also completely removed the Splunk install and reinstalled with the same results.

Any suggestions ?

dwaddle
SplunkTrust
SplunkTrust

Netflow data is in a binary format which Splunk cannot directly process. There is a piece of software called NFDUMP (http://sourceforge.net/projects/nfdump/) that can process the ASA netflow v9 records and produce plain-text formatted netflow events which can then be Splunked. There is an existing Splunk app in splunk-base - http://splunk-base.splunk.com/apps/22328/splunk-for-netflow that could help with some of this.

dwaddle
SplunkTrust
SplunkTrust

Well, if you're working on something that could result in a sale, you could always ask for pre-sales support - a Splunk sales engineer might be able to provide some bootstrapping help. Also, you could check in on the Splunk IRC channel and see if anyone is around who might be able to give pointers.

ronaldnutter
Engager

Thanks for the reply. I thought Splunk would at least show that something had come in.

Looked at NFDUMP and now see that I cant proceed any further. I am running on Windows which isnt supported on NFDUMP. I have tried to work with Linux but that is a skillset that I havent had luck with.

Looks like I will have to go to Ciscoworks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...