It has got to be something simple. I have been trying for 3 days to get Netflow from my ASA to Splunk. I have tried 3 different OS's (windows and linux). I have verified that whatever OS I am using has the firewall disabled. I have tried multiple udp ports but never see any Netflow data coming from the ASA.
According to various show commands on the ASA, it claims to be sending it. When I run wireshark on the same machine as Splunk, I can see the Netflow packet arriving. When I delete the UDP listener, I see the packet get rejected. When the listener is present, I dont see the packet get rejected. When I do a search in Splunk, I NEVER see the UDP listener show anything for the UDP port that I am sending Netflow on to Splunk.
In my way of thinking, I have to see the traffic show up when doing a App->Search before it will do any good at setting up the combinations of apps that it appears that I will need to translate Netflow v9 that the ASA uses to a format that another app to see what is going on. I know that the listener process is working because I can see SYSLOG data come from the same ASA and not have any problems.
Because of the amount of time that I have spent on this with nothing to show for it, Management is pushing me to drop the project. My only other option is to get SolarWinds which is overpriced as far as I am concerned. I have also completely removed the Splunk install and reinstalled with the same results.
Any suggestions ?
... View more