Hi Luca, Thanks for the prompt reply. I have to admit I'm still fairly green at using nprobe.
I'm issuing the following command to run nProbe in collector mode to collect V9 flows from the ASA only. nprobe -i none –sender-address=10.1.1.1 --collector-port 2055 -T "%IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %PROTOCOL %IN_BYTES %OUT_BYTES %FIRST_SWITCHED %LAST_SWITCHED %HTTP_SITE %HTTP_RET_CODE %IN_PKTS %OUT_PKTS %IP_PROTOCOL_VERSION %APPLICATION_ID %L7_PROTO_NAME %ICMP_TYPE" --elastic "flows;nprobe; http://10.2.2.2:9200/_bulk"; -b 2 --json-labels -W -t 60 -V 9 When running the above command I receive no flows. If I change -i to eth0 I see a number of flows, but 99% of them are from the localhost. Not from 10.1.1.1. When I do receive a flow from 10.1.1.1 in elasticsearch it does not appear as though the flow data is exported: {"IPV4_SRC_ADDR":"10.1.1.1","L4_SRC_PORT":57396,"IPV4_DST_ADDR":"10.2.2.2","L4_DST_PORT":2055,"PROTOCOL":17,"IN_BYTES":3288352,"OUT_BYTES":0,"FIRST_SWITCHED":1444226217,"LAST_SWITCHED":1444226225,"IN_PKTS":2250,"OUT_PKTS":0,"IP_PROTOCOL_VERSION":4,"APPLICATION_ID":"0","L7_PROTO_NAME":"NetFlow","ICMP_TYPE":0,"@version":"1","@timestamp":"2015-10-07T13:57:06Z","EXPORTER_IPV4_ADDRESS":"10.2.2.2"} Clearly I'm missing something in running nprobe as a collector only as no data is received. Could it be that my template definition is incorrect so nProbe does not capture the packet? Thanks, Victor On Wed, Oct 7, 2015 at 9:24 AM, Luca Deri <[email protected]> wrote: > Victor > inserting them in ELK is not different from collector to probe mode. The > thing is that we transform ASA flows into the template specified by -T and > thus you will not see a 1:1 correspondence between collected and stored > flows in ELK > > Luca > > > On 10/07/2015 03:20 PM, Victor Castro wrote: > > Hello, > > I'm looking for assistance in what I think is a simple nProbe > configuration. > > I would like to export Cisco ASA NetFlow V9 flows from the ASA, through > nProbe and into elasticsearch. I've tried a number of combinations but I > cannot seem to get a working configuration. > > > ASA: > IP: 10.1.1.1 > Netflow collector: 10.2.2.2:20555 > > nProbe: > IP: 10.2.2.2 > Collector mode > Collector port: 2055 > > elasticsearch: > IP: 10.2.2.2:9200 > > > I have been able to get interface flows from eth0 on the nProbe box into > elasticseearch. > My issue is with nProbe listening on port 2055 and transforming the > netflow v9 packets for export into elasticsearch. > > > Can someone lend some assistance on how I would configure nprobe in > collector or proxy mode to read the ASA V9 flows and export them to > elasticsearch? > > Thanks > > > _______________________________________________ > Ntop-misc mailing > [email protected]http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
