Show Posts
1
17.1 Legacy Series / Netflow + external host incomplete traffic metadata
« on: April 07, 2017, 12:54:04 am »
I have netflow set up to send the metadata to an external host. For a collector I tried using:
1) Logstash - logging to a file
2) Logstash - loggin to an elastic search index
3) Management engine - (https://www.manageengine.com/products/netflow/)
It appears the metadata being sent to the collector is not complete. When downloading a large file for example I was expecting to see the aggregate of all in_bytes fields to be equal the file size. The metadata I saw was only a fraction of traffic actually occurring. Is this behavior by design and is there a way to change it to send complete metadata about all the traffic coming through OPNSense interfaces?
OPNSense netflow is configured as follows:
Interfaces: LAN/WAN
Egress only: WAN
Capture local: check
Version: v9
Destinations: COLLECTOR_IP:port, LOOP_BACK_IP:port
Thank you
1) Logstash - logging to a file
2) Logstash - loggin to an elastic search index
3) Management engine - (https://www.manageengine.com/products/netflow/)
It appears the metadata being sent to the collector is not complete. When downloading a large file for example I was expecting to see the aggregate of all in_bytes fields to be equal the file size. The metadata I saw was only a fraction of traffic actually occurring. Is this behavior by design and is there a way to change it to send complete metadata about all the traffic coming through OPNSense interfaces?
OPNSense netflow is configured as follows:
Interfaces: LAN/WAN
Egress only: WAN
Capture local: check
Version: v9
Destinations: COLLECTOR_IP:port, LOOP_BACK_IP:port
Thank you