Do blog posts come in threes, keep watching to find out? Yesterday I gave you the run down on a new way to collect syslog. Today I’m going to spend some time on a simple low cost and performant way to collect flow data.
- At least two indexers with http event collector, more = better. For this use case it is not appropriate to utilize dedicated HEC servers.
- One http load balancer, I use HA proxy. You can certainly use the same one from our rsyslog configuration.
- Optional one UDP load balancer such as NGNIX. I am not documenting this setup at this time.
- One ubuntu 16.04 VM
- Follow docs, to setup HTTP event collector on your indexers, note if your indexers are clustered docs does not cover this, you must create the configuration manually be sure to generate a unique GUID manually. Clusters environments can use the sample configuration below: IMPORTANT ensure your data indexes AND _internal are allowed for the token
[http] disabled=0 port=8088 # [http://streamfwd] disabled=0 index=main token=DAA61EE1-F8B2-4DB1-9159-6D7AA5220B21 indexes=_internal,main
- Follow documentation for your load balancer of choice to create a http VIP with https back end servers. HEC listens on 8088 by default.
- Install stream for the independent per Docs
- Kill stream if its running “killall -9 streamfwd”
- Remove the init script
- “update-rc.d -f streamfwd remove”
- rm /etc/init.d/streamfwd
- Create a new service unit file for systemd /etc/systemd/system/streamfwd.service
[Unit] Description= Splunk Stream Dedicated Service After=syslog.target network.target [Service] Type=simple ExecStart=/opt/streamfwd/bin/streamfwd -D
- Enable the new service “systemctl enable streamfwd”
- Create/update the streamfwd.conf replacing GUID VIP and INTERFACE
[streamfwd] httpEventCollectorToken = <GUID> indexer.0.uri= <HEC VIP> netflowReceiver.0.ip = <INTERFACE TO BIND> netflowReceiver.0.port = 9995 netflowReceiver.0.decoder = netflow
- Create/update the inputs.conf ensure the URL is correct for the location of your stream app
[streamfwd://streamfwd] splunk_stream_app_location = https://192.168.100.62:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id=infra_netflow
- Start the streamfwd “systemctl start streamfwd”
- Login to the search head where Splunk App for Stream is Installed
- Navigate to Splunk App for Stream –> Configuration –> Distributed Forwarder Managment
- Click Create New Group
- Enter Name as “INFRA_NETFLOW”
- Enter a Description
- Click Next
- Enter “INFRA_NETFLOW” as the rule and click next
- Click Finish without selecting options
- Navigate to Splunk App for Stream –> Configuration –> Configure Streams
- Click New Stream select netflow as the protocol (this is correct for netflow/sflow/jflow/ipfix
- Enter Name as “INFRA_NETFLOW”
- Enter a Description and click next
- No Aggregation and click next
- Deselect any fields NOT interesting for your use case and click next
- Optional develop filters to reduce noise from high traffic devices and click next
- Select the index for this collection and click enable then click next
- Select only the Infra_netflow group and Create_Stream
- Configure your NETFLOW generator to send records to the new streamfwd
Validation! search the index configured in step 27