Netflow Ingester#

The Netflow ingester acts as a Netflow collector (see the Wikipedia article for a full description of Netflow roles), gathering records created by Netflow exporters and capturing them as Gravwell entries for later analysis. These entries can then be analyzed using the netflow search module.

Installation#

To install the Debian package, make sure the Gravwell Debian repository is configured as described in the quickstart. Then run the following command as root:

apt update && apt install gravwell-netflow-capture

To install the Redhat package, make sure the Gravwell Redhat repository is configured as described in the quickstart. Then run the following command as root:

yum install gravwell-netflow-capture

To install via the standalone shell installer, download the installer from the downloads page, then run the following command as root, replacing X.X.X with the appropriate version:

bash gravwell_netflow_capture_installer_X.X.X.sh

You may be prompted for additional configuration during the installation.

The Docker image is available on Dockerhub.

Basic Configuration#

The Netflow ingester uses the unified global configuration block described in the ingester section. Like most other Gravwell ingesters, the Netflow ingester supports multiple upstream indexers, TLS, cleartext, and named pipe connections, a local cache, and local logging.

The configuration file is at /opt/gravwell/etc/netflow_capture.conf. The ingester will also read configuration snippets from its configuration overlay directory (/opt/gravwell/etc/netflow_capture.conf.d).

Collector Examples#

[Collector "netflow v5"]
	Bind-String="0.0.0.0:2055" #we are binding to all interfaces
	Tag-Name=netflow
	Assume-Local-Timezone=true
	Session-Dump-Enabled=true

[Collector "ipfix"]
	Tag-Name=ipfix
	Bind-String="0.0.0.0:4739"
	Flow-Type=ipfix

Note

By default the Netflow ingester will listen for both Netflowv5 on UDP port 2055 and NetflowV9/IPFix on UDP port 4739. It is highly reccomended that one of the listeners is disabled.

Note

The default NetflowV9 and/or IPFix port of 4739 is somewhat disagreed upon by major networking manufacturers; some equipment expects to send NetflowV9 traffic to UDP port 6343. Adjust the configuration file accordingly.

Installation#

If you’re using the Gravwell Debian repository, installation is just a single apt command:

apt-get install gravwell-netflow-capture

Otherwise, download the installer from the Downloads page. To install the Netflow ingester, simply run the installer as root (the actual file name will typically include a version number):

root@gravserver ~ # bash gravwell_netflow_capture_installer.sh

If there is no Gravwell indexer on the local machine, the installer will prompt for an Ingest-Secret value and an IP address for an indexer (or a Federator). Otherwise, it will pull the appropriate values from the existing Gravwell configuration. In any case, review the configuration file in /opt/gravwell/etc/netflow_capture.conf after installation. A straightforward example which listens on UDP port 2055 might look like this:

[Global]
Ingest-Secret = IngestSecrets
Connection-Timeout = 0
Insecure-Skip-TLS-Verify=false
Pipe-Backend-target=/opt/gravwell/comms/pipe #a named pipe connection, this should be used when ingester is on the same machine as a backend
Log-Level=INFO

[Collector "netflow v5"]
	Bind-String="0.0.0.0:2055" #we are binding to all interfaces
	Tag-Name=netflow

Note that this configuration sends entries to a local indexer via /opt/gravwell/comms/pipe. Entries are tagged ‘netflow’.

You can configure any number of Collector entries listening on different ports with different tags; this can help organize the data more clearly.