Netflow to syslog converter The 2019 Stack Overflow Developer Survey Results Are InNetflow use cases?Solution to route/proxy SNMP Traps (or Netflow, generic UDP, etc) for network monitoring?Implementing Argus (similar to netflow) what kind of information should I be gathering?Have NetFlow show true destinationsNetflow packet includes zero port numbers?How useful is the sysUptime value in a Netflow packet?Netflow/IPfix Analyzer for network threats and anomaliesSyslog to IPFIXWhat is a Netflow?pmacct dropped packets to netflow collector
Can a flute soloist sit?
How can I save a vector layer to memory (or is there a reason QGIS doesn't allow this)?
Are spiders unable to hurt humans, especially very small spiders?
Can withdrawing asylum be illegal?
What to do when moving next to a bird sanctuary with a loosely-domesticated cat?
Why doesn't shell automatically fix "useless use of cat"?
How many cones with angle theta can I pack into the unit sphere?
How to determine omitted units in a publication
Why can I use a list index as an indexing variable in a for loop?
How to notate time signature switching consistently every measure
Correct punctuation for showing a character's confusion
Pokemon Turn Based battle (Python)
Why isn't the circumferential light around the M87 black hole's event horizon symmetric?
Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?
What force causes entropy to increase?
Christmas short horror story about a woman who becomes trapped in another body?
Magento 2 + how to remove character limit from meta keyword field in product
Why can't devices on different VLANs, but on the same subnet, communicate?
A female thief is not sold to make restitution -- so what happens instead?
Geography at the pixel level
How can I have a shield and a way of attacking at distance at the same time?
How did passengers keep warm on sail ships?
If my opponent casts Ultimate Price on my Phantasmal Bear, can I save it by casting Snap or Curfew?
Why did Peik say, "I'm not an animal"?
Netflow to syslog converter
The 2019 Stack Overflow Developer Survey Results Are InNetflow use cases?Solution to route/proxy SNMP Traps (or Netflow, generic UDP, etc) for network monitoring?Implementing Argus (similar to netflow) what kind of information should I be gathering?Have NetFlow show true destinationsNetflow packet includes zero port numbers?How useful is the sysUptime value in a Netflow packet?Netflow/IPfix Analyzer for network threats and anomaliesSyslog to IPFIXWhat is a Netflow?pmacct dropped packets to netflow collector
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Is there any way to have netflow v9 converted to syslog?
Which would be the best way to have the following idea working?
Procedure:
1) The router sends UDP with the following structure:
templateId=259: id=259, fields=11
field id=8 (ipv4 source address), offset=0, len=4
field id=225 (natInsideGlobalAddress), offset=4, len=4
field id=12 (ipv4 destination address), offset=8, len=4
field id=226 (natOutsideGlobalAddress), offset=12, len=4
field id=7 (transport source-port), offset=16, len=2
field id=227 (postNAPTSourceTransportPort), offset=18, len=2
field id=11 (transport destination-port), offset=20, len=2
field id=228 (postNAPTDestinationTransportPort), offset=22, len=2
field id=234 (ingressVRFID), offset=24, len=4
field id=4 (ip protocol), offset=28, len=1
field id=230 (natEvent), offset=29, len=1
2) Inside each UDP packet there is a file (Yes, a file inside each UDP packet) , also some important fields like timestamp and count(number of flowsets inside the packet)
3) Inside each flowset there are the ID, lenght, and then the flow sequence(using the template shown above).
The general idea is to have a binary (performance is a must , so probably a C binary, multithreaded ), which listens for the UDP traffic and sends the output as syslog to a server which will take care to write them on disk. (writing on disk may be done by the netflow converter itself if there is a way to read from the written logs).
Any idea on how to achive this?
Thanks.
marc
network-monitoring syslog netflow
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
bumped to the homepage by Community♦ 56 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
|
show 3 more comments
Is there any way to have netflow v9 converted to syslog?
Which would be the best way to have the following idea working?
Procedure:
1) The router sends UDP with the following structure:
templateId=259: id=259, fields=11
field id=8 (ipv4 source address), offset=0, len=4
field id=225 (natInsideGlobalAddress), offset=4, len=4
field id=12 (ipv4 destination address), offset=8, len=4
field id=226 (natOutsideGlobalAddress), offset=12, len=4
field id=7 (transport source-port), offset=16, len=2
field id=227 (postNAPTSourceTransportPort), offset=18, len=2
field id=11 (transport destination-port), offset=20, len=2
field id=228 (postNAPTDestinationTransportPort), offset=22, len=2
field id=234 (ingressVRFID), offset=24, len=4
field id=4 (ip protocol), offset=28, len=1
field id=230 (natEvent), offset=29, len=1
2) Inside each UDP packet there is a file (Yes, a file inside each UDP packet) , also some important fields like timestamp and count(number of flowsets inside the packet)
3) Inside each flowset there are the ID, lenght, and then the flow sequence(using the template shown above).
The general idea is to have a binary (performance is a must , so probably a C binary, multithreaded ), which listens for the UDP traffic and sends the output as syslog to a server which will take care to write them on disk. (writing on disk may be done by the netflow converter itself if there is a way to read from the written logs).
Any idea on how to achive this?
Thanks.
marc
network-monitoring syslog netflow
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
bumped to the homepage by Community♦ 56 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
can't you just configure your router to send syslog instead of NetFlow (or in addition to)? This would be far easier than trying to convert one to the other.
– August
Feb 1 '13 at 13:27
@August. No, he couldn't.
– Clayton Dukes
Feb 10 '13 at 23:31
@marc. I'd be interested in this as well. If you find a solution, please let me know!
– Clayton Dukes
Feb 10 '13 at 23:31
@Clayton - huh...he doesn't mention what kind of router he is using in his question so I wonder how you know he couldn't just setup syslog on his router?
– August
Feb 11 '13 at 12:42
@August, if he's asking about NetFlow, he's talking about a Cisco router. But that is irrelevant as syslog doesn't provide the same data that NetFlow does. Syslog is used mainly for Fault mgmt with some Performance mgmt. NetFlow is more Perf and Security and also provides end-to-end flows.
– Clayton Dukes
Feb 11 '13 at 14:47
|
show 3 more comments
Is there any way to have netflow v9 converted to syslog?
Which would be the best way to have the following idea working?
Procedure:
1) The router sends UDP with the following structure:
templateId=259: id=259, fields=11
field id=8 (ipv4 source address), offset=0, len=4
field id=225 (natInsideGlobalAddress), offset=4, len=4
field id=12 (ipv4 destination address), offset=8, len=4
field id=226 (natOutsideGlobalAddress), offset=12, len=4
field id=7 (transport source-port), offset=16, len=2
field id=227 (postNAPTSourceTransportPort), offset=18, len=2
field id=11 (transport destination-port), offset=20, len=2
field id=228 (postNAPTDestinationTransportPort), offset=22, len=2
field id=234 (ingressVRFID), offset=24, len=4
field id=4 (ip protocol), offset=28, len=1
field id=230 (natEvent), offset=29, len=1
2) Inside each UDP packet there is a file (Yes, a file inside each UDP packet) , also some important fields like timestamp and count(number of flowsets inside the packet)
3) Inside each flowset there are the ID, lenght, and then the flow sequence(using the template shown above).
The general idea is to have a binary (performance is a must , so probably a C binary, multithreaded ), which listens for the UDP traffic and sends the output as syslog to a server which will take care to write them on disk. (writing on disk may be done by the netflow converter itself if there is a way to read from the written logs).
Any idea on how to achive this?
Thanks.
marc
network-monitoring syslog netflow
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
Is there any way to have netflow v9 converted to syslog?
Which would be the best way to have the following idea working?
Procedure:
1) The router sends UDP with the following structure:
templateId=259: id=259, fields=11
field id=8 (ipv4 source address), offset=0, len=4
field id=225 (natInsideGlobalAddress), offset=4, len=4
field id=12 (ipv4 destination address), offset=8, len=4
field id=226 (natOutsideGlobalAddress), offset=12, len=4
field id=7 (transport source-port), offset=16, len=2
field id=227 (postNAPTSourceTransportPort), offset=18, len=2
field id=11 (transport destination-port), offset=20, len=2
field id=228 (postNAPTDestinationTransportPort), offset=22, len=2
field id=234 (ingressVRFID), offset=24, len=4
field id=4 (ip protocol), offset=28, len=1
field id=230 (natEvent), offset=29, len=1
2) Inside each UDP packet there is a file (Yes, a file inside each UDP packet) , also some important fields like timestamp and count(number of flowsets inside the packet)
3) Inside each flowset there are the ID, lenght, and then the flow sequence(using the template shown above).
The general idea is to have a binary (performance is a must , so probably a C binary, multithreaded ), which listens for the UDP traffic and sends the output as syslog to a server which will take care to write them on disk. (writing on disk may be done by the netflow converter itself if there is a way to read from the written logs).
Any idea on how to achive this?
Thanks.
marc
network-monitoring syslog netflow
network-monitoring syslog netflow
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
asked Feb 1 '13 at 10:31
Marc RieraMarc Riera
86921636
86921636
bumped to the homepage by Community♦ 56 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 56 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
can't you just configure your router to send syslog instead of NetFlow (or in addition to)? This would be far easier than trying to convert one to the other.
– August
Feb 1 '13 at 13:27
@August. No, he couldn't.
– Clayton Dukes
Feb 10 '13 at 23:31
@marc. I'd be interested in this as well. If you find a solution, please let me know!
– Clayton Dukes
Feb 10 '13 at 23:31
@Clayton - huh...he doesn't mention what kind of router he is using in his question so I wonder how you know he couldn't just setup syslog on his router?
– August
Feb 11 '13 at 12:42
@August, if he's asking about NetFlow, he's talking about a Cisco router. But that is irrelevant as syslog doesn't provide the same data that NetFlow does. Syslog is used mainly for Fault mgmt with some Performance mgmt. NetFlow is more Perf and Security and also provides end-to-end flows.
– Clayton Dukes
Feb 11 '13 at 14:47
|
show 3 more comments
can't you just configure your router to send syslog instead of NetFlow (or in addition to)? This would be far easier than trying to convert one to the other.
– August
Feb 1 '13 at 13:27
@August. No, he couldn't.
– Clayton Dukes
Feb 10 '13 at 23:31
@marc. I'd be interested in this as well. If you find a solution, please let me know!
– Clayton Dukes
Feb 10 '13 at 23:31
@Clayton - huh...he doesn't mention what kind of router he is using in his question so I wonder how you know he couldn't just setup syslog on his router?
– August
Feb 11 '13 at 12:42
@August, if he's asking about NetFlow, he's talking about a Cisco router. But that is irrelevant as syslog doesn't provide the same data that NetFlow does. Syslog is used mainly for Fault mgmt with some Performance mgmt. NetFlow is more Perf and Security and also provides end-to-end flows.
– Clayton Dukes
Feb 11 '13 at 14:47
can't you just configure your router to send syslog instead of NetFlow (or in addition to)? This would be far easier than trying to convert one to the other.
– August
Feb 1 '13 at 13:27
can't you just configure your router to send syslog instead of NetFlow (or in addition to)? This would be far easier than trying to convert one to the other.
– August
Feb 1 '13 at 13:27
@August. No, he couldn't.
– Clayton Dukes
Feb 10 '13 at 23:31
@August. No, he couldn't.
– Clayton Dukes
Feb 10 '13 at 23:31
@marc. I'd be interested in this as well. If you find a solution, please let me know!
– Clayton Dukes
Feb 10 '13 at 23:31
@marc. I'd be interested in this as well. If you find a solution, please let me know!
– Clayton Dukes
Feb 10 '13 at 23:31
@Clayton - huh...he doesn't mention what kind of router he is using in his question so I wonder how you know he couldn't just setup syslog on his router?
– August
Feb 11 '13 at 12:42
@Clayton - huh...he doesn't mention what kind of router he is using in his question so I wonder how you know he couldn't just setup syslog on his router?
– August
Feb 11 '13 at 12:42
@August, if he's asking about NetFlow, he's talking about a Cisco router. But that is irrelevant as syslog doesn't provide the same data that NetFlow does. Syslog is used mainly for Fault mgmt with some Performance mgmt. NetFlow is more Perf and Security and also provides end-to-end flows.
– Clayton Dukes
Feb 11 '13 at 14:47
@August, if he's asking about NetFlow, he's talking about a Cisco router. But that is irrelevant as syslog doesn't provide the same data that NetFlow does. Syslog is used mainly for Fault mgmt with some Performance mgmt. NetFlow is more Perf and Security and also provides end-to-end flows.
– Clayton Dukes
Feb 11 '13 at 14:47
|
show 3 more comments
1 Answer
1
active
oldest
votes
If I understand correctly, you're looking to monitor a NetFlow stream for sessions that match a particular template, and then send a pre-canned syslog event with the details? I'm not aware of any tool that does just that, but there are two possibilities that I am aware of:
Write your own. The big bottleneck is going to be the NetFlow parsing, but using an open source NetFlow library like flowd will be a big help there. That will take care of all the versioning information, and should provide a convenient data structure for forming your syslog message. This will be your best option performance-wise, because it won't be doing any other tasks.
Purchasing an off-the-shelf NetFlow collector with alerting functionality. The exact details of setting one up vary from product to product, but in general you'll be setting a strict filter and setting a threshold very low so that you'll get an alert (which is usually a syslog event) for each session. The overhead of the rest of the product will potentially cut into the speed, and commercial products will have a cost, but it will likely be easier to deploy. (full disclosure: I work at a company that sells a NetFlow collector)
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f474505%2fnetflow-to-syslog-converter%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If I understand correctly, you're looking to monitor a NetFlow stream for sessions that match a particular template, and then send a pre-canned syslog event with the details? I'm not aware of any tool that does just that, but there are two possibilities that I am aware of:
Write your own. The big bottleneck is going to be the NetFlow parsing, but using an open source NetFlow library like flowd will be a big help there. That will take care of all the versioning information, and should provide a convenient data structure for forming your syslog message. This will be your best option performance-wise, because it won't be doing any other tasks.
Purchasing an off-the-shelf NetFlow collector with alerting functionality. The exact details of setting one up vary from product to product, but in general you'll be setting a strict filter and setting a threshold very low so that you'll get an alert (which is usually a syslog event) for each session. The overhead of the rest of the product will potentially cut into the speed, and commercial products will have a cost, but it will likely be easier to deploy. (full disclosure: I work at a company that sells a NetFlow collector)
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
add a comment |
If I understand correctly, you're looking to monitor a NetFlow stream for sessions that match a particular template, and then send a pre-canned syslog event with the details? I'm not aware of any tool that does just that, but there are two possibilities that I am aware of:
Write your own. The big bottleneck is going to be the NetFlow parsing, but using an open source NetFlow library like flowd will be a big help there. That will take care of all the versioning information, and should provide a convenient data structure for forming your syslog message. This will be your best option performance-wise, because it won't be doing any other tasks.
Purchasing an off-the-shelf NetFlow collector with alerting functionality. The exact details of setting one up vary from product to product, but in general you'll be setting a strict filter and setting a threshold very low so that you'll get an alert (which is usually a syslog event) for each session. The overhead of the rest of the product will potentially cut into the speed, and commercial products will have a cost, but it will likely be easier to deploy. (full disclosure: I work at a company that sells a NetFlow collector)
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
add a comment |
If I understand correctly, you're looking to monitor a NetFlow stream for sessions that match a particular template, and then send a pre-canned syslog event with the details? I'm not aware of any tool that does just that, but there are two possibilities that I am aware of:
Write your own. The big bottleneck is going to be the NetFlow parsing, but using an open source NetFlow library like flowd will be a big help there. That will take care of all the versioning information, and should provide a convenient data structure for forming your syslog message. This will be your best option performance-wise, because it won't be doing any other tasks.
Purchasing an off-the-shelf NetFlow collector with alerting functionality. The exact details of setting one up vary from product to product, but in general you'll be setting a strict filter and setting a threshold very low so that you'll get an alert (which is usually a syslog event) for each session. The overhead of the rest of the product will potentially cut into the speed, and commercial products will have a cost, but it will likely be easier to deploy. (full disclosure: I work at a company that sells a NetFlow collector)
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
If I understand correctly, you're looking to monitor a NetFlow stream for sessions that match a particular template, and then send a pre-canned syslog event with the details? I'm not aware of any tool that does just that, but there are two possibilities that I am aware of:
Write your own. The big bottleneck is going to be the NetFlow parsing, but using an open source NetFlow library like flowd will be a big help there. That will take care of all the versioning information, and should provide a convenient data structure for forming your syslog message. This will be your best option performance-wise, because it won't be doing any other tasks.
Purchasing an off-the-shelf NetFlow collector with alerting functionality. The exact details of setting one up vary from product to product, but in general you'll be setting a strict filter and setting a threshold very low so that you'll get an alert (which is usually a syslog event) for each session. The overhead of the rest of the product will potentially cut into the speed, and commercial products will have a cost, but it will likely be easier to deploy. (full disclosure: I work at a company that sells a NetFlow collector)
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
answered Mar 18 '13 at 20:03
John MurphyJohn Murphy
865
865
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f474505%2fnetflow-to-syslog-converter%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
can't you just configure your router to send syslog instead of NetFlow (or in addition to)? This would be far easier than trying to convert one to the other.
– August
Feb 1 '13 at 13:27
@August. No, he couldn't.
– Clayton Dukes
Feb 10 '13 at 23:31
@marc. I'd be interested in this as well. If you find a solution, please let me know!
– Clayton Dukes
Feb 10 '13 at 23:31
@Clayton - huh...he doesn't mention what kind of router he is using in his question so I wonder how you know he couldn't just setup syslog on his router?
– August
Feb 11 '13 at 12:42
@August, if he's asking about NetFlow, he's talking about a Cisco router. But that is irrelevant as syslog doesn't provide the same data that NetFlow does. Syslog is used mainly for Fault mgmt with some Performance mgmt. NetFlow is more Perf and Security and also provides end-to-end flows.
– Clayton Dukes
Feb 11 '13 at 14:47