Forward traffic to splunk in netflow/collector mode

[kyoshi-maru]

Hi!

I don't know if this is even possible:

I have a firewall sending netflow to nProbe. All works fine. I'd like to forward the traffic to splunk (and ideally to ntopng as well). Unfortunately it seems nprobe cannot be launched in collector mode and forward to splunk at the same time. I tried with something like --tcp "some.ip:3333" -i none --collector-port 2055.

Can anyone give me a hint?

Many thanks!

[ValentinaViscarelli]

@phenomedmond

just a question.... Does "splunk" accept netflow data formart? (sorry but I'm not expert of splunk). If so, please run nprobe like that:

nprobe -i none --collector-port 2055 -n tcp://ip_splunk:port_splunk

if you want also to receive the data on ntopng, you have to use zmq. so please run nprobe like that:

nprobe -i none --collector-port 2055 -n tcp://ip_splunk:port_splunk --zmq "tcp://*:5556"

and run ntopng like that:

ntopng -i tcp://127.0.0.1:5556

[kyoshi-maru]

@ValentinaViscarelli Unfortunately splunk has no native netflow capability, I'd have to go over NFI or the nProbe splunk app which basically parses a json stream so -n won't work as its binary. After following your tcp hint, checking the docu and trying for while I finally got it using this startup string:

nprobe -b 1 --zmq "tcp://*:5556" -i none -n none --collector-port 2055 -T "%IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %PROTOCOL %IN_BYTES %OUT_BYTES %FIRST_SWITCHED %LAST_SWITCHED %IN_PKTS %OUT_PKTS %IP_PROTOCOL_VERSION %APPLICATION_ID %L7_PROTO_NAME %ICMP_TYPE" --tcp "splunk.server.ip:3333" --json-labels -G

Works perfectly now!