Separate IP addresses information, without AS or country.

[hunterelectros]

Hello! Is it possible for this exporter to show metrics by source addresses? Now with a simple config we get data by AS and countries. We would like to view information by source addresses. If this is possible, please provide an example of the config.

[rkosegi]

Hi!

What you're asking for is just a matter of aggregation. Query such as this should give you metrics per-source address:

sum by (source) (rate(netflow_flow_traffic_detail{ ...put additonal filter here }[1m]))

[hunterelectros]

Hi! I think you misunderstood the question a little. We get metrics in the form, for example: netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="",source_country="US"} 255 netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="DE"} 164 netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="GB"} 333 netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="NL"} 162 netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="SG"} 164 netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="US"} 766 netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="AMAZON-02",source_country="US"} 689

172.17.0.1 - is IP our internal firewall, who send flow to this exporter. And we would like to see source addresses in the metrics, and not converted to source AS and source countries. Is it possible?....

[rkosegi]

you're then missing label for source in config file:

....
  metrics:
    prefix: netflow
    items:
      - name: traffic_detail
        description: Traffic detail
        labels:
....
          - name: source                   # this item
            value: source_ip
            converter: ipv4

Example output:

netflow_flow_traffic_detail{destination="8.8.8.8",destination_asn_org="GOOGLE",destination_country="US",destination_port="443",input_interface="7",input_interface_name="bridge1",output_interface="8",output_interface_name="",protocol="udp",sampler="192.168.1.3",source="192.168.1.100",source_asn_org="",source_country="local"} 28070
netflow_flow_traffic_detail{destination="8.8.8.8",destination_asn_org="GOOGLE",destination_country="US",destination_port="53",input_interface="7",input_interface_name="bridge1",output_interface="8",output_interface_name="",protocol="udp",sampler="192.168.1.3",source="192.168.1.100",source_asn_org="",source_country="local"} 53261

[rkosegi]

For reference, here is my full config

---
netflow_endpoint: 0.0.0.0:30000
telemetry_endpoint: 0.0.0.0:30001
flush_interval: 36000
pipeline:
  filter:
    - local-to-local: true
    - match: source_ip
      is: 0.0.0.0
    - match: source_ip
      is: 255.255.255.255
    - match: destination_ip
      is: 0.0.0.0
    - match: destination_ip
      is: 255.255.255.255
  enrich:
    - interface_mapper
    - maxmind_country
    - maxmind_asn
    - protocol_name
  metrics:
    prefix: netflow
    items:
      - name: traffic_detail
        description: Traffic detail
        labels:
          - name: sampler
            value: sampler
            converter: ipv4
          - name: protocol
            value: proto_name
            converter: str
#          - name: source_port
#            value: source_port
#            converter: uint32
          - name: destination_port
            value: destination_port
            converter: uint32
          - name: source_country
            value: source_country
            converter: str
            on_missing: empty_str
          - name: destination_country
            value: destination_country
            converter: str
          - name: source
            value: source_ip
            converter: ipv4
          - name: destination
            value: destination_ip
            converter: ipv4
          - name: input_interface
            value: input_interface
            converter: uint32
          - name: output_interface
            value: output_interface
            converter: uint32
          - name: source_asn_org
            value: source_asn_org
            converter: str
          - name: destination_asn_org
            value: destination_asn_org
            converter: str
          - name: output_interface_name
            converter: str
            value: output_interface_name
          - name: input_interface_name
            converter: str
            value: input_interface_name
extensions:
  maxmind_country:
    mmdb_dir: /usr/share/GeoIP/
  maxmind_asn:
    mmdb_dir: /usr/share/GeoIP/
  interface_mapper:
    "1": wan
    "2": lan
    "7": bridge1

[hunterelectros]

Yes! Its working as needed!

1. I recommend adding all available metrics options to the readme so that people like me have fewer questions in the future.
2. flush_interval paramater - please explain what it means?
3. Does this exporter only support version 5 of the netflow protocol? Version 9 is not supported yet? If version 9 is not supported, are there plans to add such functionality?

[rkosegi]

Hi @hunterelectros for 1), you can open MR with missing info to README. for 2 and 3, can you open discussion?