Follow

NetFlow data - treating all IPs as internal

Issue

When ingesting NetFLow data, the default is for the NetFlow ingest process is to only recognize internal IPs.  There are instances based on client need to use external IPs for analysis.

Cause

By default, NetFlow only recognizes internal IPs for ingest and analysis.

Resolution Step

In the Flume config you will need to do the following:

Comment all the below lines
interset_netflow_events_<DID>_<TID>_csv_transform.sources.kafkaSource.interceptors = parseCsv srcIpEnrichment dstIpEnrichment timestamp firstSwitched lastSwitched clean deToAvro

interset_netflow_events_<DID>_<TID>_csv_transform.sources.kafkaSource.interceptors.dstIpEnrichment.type = com.interset.flume.interceptor.IpEnrichmentInterceptor$Builder
interset_netflow_events_<DID>_<TID>_csv_transform.sources.kafkaSource.interceptors.dstIpEnrichment.ipInKey = ipv4DstAddr
interset_netflow_events_<DID>_<TID>_csv_transform.sources.kafkaSource.interceptors.dstIpEnrichment.ipMaskInKey = dstMask
interset_netflow_events_<DID>_<TID>_csv_transform.sources.kafkaSource.interceptors.dstIpEnrichment.networkOutKey = dstNetwork
interset_netflow_events_<DID>_<TID>_csv_transform.sources.kafkaSource.interceptors.dstIpEnrichment.publicOutKey = dstPublic


Add these lines
interset_netflow_events_<DID>_<TID>_csv_transform.sources.kafkaSource.interceptors = parseCsv deSetValue timestamp firstSwitched lastSwitched clean deToAvro
# we are treating every source and destination as internal
interset_netflow_events_ct4_csv_transform.sources.dirSource.interceptors.deSetValue.type = com.interset.flume.interceptor.DictionaryEventSetValueInterceptor$Builder
interset_netflow_events_ct4_csv_transform.sources.dirSource.interceptors.deSetValue.keys = srcPublic,dstPublic
interset_netflow_events_ct4_csv_transform.sources.dirSource.interceptors.deSetValue.keys.srcPublic = false
interset_netflow_events_ct4_csv_transform.sources.dirSource.interceptors.deSetValue.keys.dstPublic = false

You will need to save and restart Flume.

Also, given that this is an ingest config change, you will need to ingest the data that was marked as external again before you try to do the analysis.

Applies To

  • Interset 5.6 or higher 

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments