Netflow + external host incomplete traffic metadata

Started by it guy, April 07, 2017, 12:54:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 07, 2017, 12:54:04 AM
I have netflow set up to send the metadata to an external host.  For a collector I tried using:

1) Logstash - logging to a file
2) Logstash - loggin to an elastic search index
3) Management engine - (https://www.manageengine.com/products/netflow/)

It appears the metadata being sent to the collector is not complete.  When downloading a large file for example I was expecting to see the aggregate of all in_bytes fields to be equal the file size.  The metadata I saw was only a fraction of traffic actually occurring.  Is this behavior by design and is there a way to change it to send complete metadata about all the traffic coming through OPNSense interfaces?

OPNSense netflow is configured as follows:

Interfaces: LAN/WAN
Egress only: WAN
Capture local: check
Version: v9
Destinations: COLLECTOR_IP:port, LOOP_BACK_IP:port

Thank you
Print
Go Up Pages1
User actions