Open SirBreadc opened 2 weeks ago
srebhan
commented
2 weeks ago @SirBreadc how can Telegraf know it receives NSEL packets instead of Netflow v9? I'm not an expert but AFAICS NSEL is just a set of special events transported over netflow v9!? Please correct me if I'm wrong!
SirBreadc
commented
1 week ago @srebhan That's a good question, looking at what is sent the easiest way I can see to identify if it's NSEL would be to check if you see initiator_bytes or responder_bytes in the fields instead of in_bytes or out_bytes. Or even fw_event those are some NetFlow fields that are NSEL specific/ you shouldn't see coming from standard V9 or IPFIX NetFlow.
srebhan
commented
1 week ago @SirBreadc if you know this instance of the plugin is receiving NSEL, it would be easiest to override the version tag manually. I would like to avoid an "autodetection" logic in the plugin if possible as it is not guaranteed that this works from the first packet or after a reconnect of a source and then you get a mixture of correctly and incorrectly tagged packets.
You might also implement this yourself e.g. using the override processor in combination with filtering on the source tag...
Use Case
Hi,
Was wondering if you could have the version mapping for ASA/FTD Netflow to NSEL (https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_nsel.html)
Atm we are seeing it marked at NetFlow V9 in the NetFlow input plugin this can be a little confusing as the fields are very different to ios-xe NetFlow V9 and we need a clear way to distinguish the difference.
Expected behavior
Version Field is mapped as NSEL for ASA and FTD NetFlow.
Actual behavior
Version is being marked as NetFlow V9 by default
Additional info
debug_logs.zip See attached current telegarf conf file used for testing, telegraf log output and metrics outputs