3 Replies Latest reply on Apr 25, 2017 7:27 AM by andy777

    Does collecting netflow requires a separate network interface ?

    janukahw

      Hi,

       

      Can a receiver with only one network interface collect both Syslog and Netflow data?

      I have a VM instance of McAfee ERC which has 2 network interfaces, In Interface settings, if I select "Collect Netflow", it says that I need to select at least one interface as "Netflow". Does that mean one interface can't do both Syslog and Netflow?

        • 1. Re: Does collecting netflow requires a separate network interface ?
          andy777

          A separate interface is not required for a Receiver to collect any IP based protocol, including syslog, netflow, jflow, sFlow and IPFIX. Just make sure the ports are configured correctly under Receiver Properties | Receiver Configuration | Interface | Communication.

           

          The Receiver also supports a feature to allow for a secondary interface to be put on a sniff/SPAN port and it will create flows from the data that it sees on the wire. That is what the "Collect Netflow" box enables and is separate from collecting syslog or netflow via protocol.

           

          As a side note, I don't collect netflows in the SIEM too often these days. The bulk of any firewall traffic is flow setups and teardowns so it's often duplicated data. If the requirement is to collect lateral traffic where I wouldn't have visibility with a firewall then I would prefer to use a BRO sensor VM for much greater visibility.

          • 2. Re: Does collecting netflow requires a separate network interface ?
            janukahw

            I am collecting data from a Firewall as well, (fortigate). But how do extract flow data from the traffic Syslog and store them as flow, So that If I go into Default FlowView,, I will see those data. ( Now that view is empty, because I only collected syslog)

            • 3. Re: Does collecting netflow requires a separate network interface ?
              andy777

              Let's make sure we're using the same terms:

               

              Syslog - RFC5424 -  sends basic text format with some header fields on port 514 UDP/TCP.

               

              Netflow - RFC3954 - generate basic 5-tuple flow, source IP, dest IP, source port, dest port, protocol over port 2055, 9995 and others.

               

              There are other netflow fields but "a flow" is really just the 5 fields indicating a unidirectional conversation between two hosts. This is a different protocol, format and data type than syslog and there isn't any sort of conversion between syslog and netflows.

               

              Most firewalls will only send events via syslog. The bulk of those syslog events consist the same information that netflow provides. Fortinet is a special case since they have always focused on the "god box" aspect and it does appear they have support for netflow also: Fortinet Knowledge Base - View Document.

               

              But that will likely just duplicate the data the data that is already being reported via syslog, albeit, with a different protocol.