1

Is there any way to have netflow v9 converted to syslog?

Which would be the best way to have the following idea working?

Procedure:

  1. The router sends UDP with the following structure:

    templateId=259: id=259, fields=11 field id=8 (ipv4 source address), offset=0, len=4 field id=225 (natInsideGlobalAddress), offset=4, len=4 field id=12 (ipv4 destination address), offset=8, len=4 field id=226 (natOutsideGlobalAddress), offset=12, len=4 field id=7 (transport source-port), offset=16, len=2 field id=227 (postNAPTSourceTransportPort), offset=18, len=2 field id=11 (transport destination-port), offset=20, len=2 field id=228 (postNAPTDestinationTransportPort), offset=22, len=2 field id=234 (ingressVRFID), offset=24, len=4 field id=4 (ip protocol), offset=28, len=1 field id=230 (natEvent), offset=29, len=1

  2. Inside each UDP packet there is a file (Yes, a file inside each UDP packet) , also some important fields like timestamp and count(number of flowsets inside the packet)

  3. Inside each flowset there are the ID, lenght, and then the flow sequence(using the template shown above).

The general idea is to have a binary (performance is a must , so probably a C binary, multithreaded ), which listens for the UDP traffic and sends the output as syslog to a server which will take care to write them on disk. (writing on disk may be done by the netflow converter itself if there is a way to read from the written logs).

Any idea on how to achive this?

Thanks.

marc

Community
  • 1
Marc Riera
  • 1,587
  • 4
  • 21
  • 38
  • can't you just configure your router to send syslog instead of NetFlow (or in addition to)? This would be far easier than trying to convert one to the other. – August Feb 01 '13 at 13:27
  • @August. No, he couldn't. – Clayton Dukes Feb 10 '13 at 23:31
  • @marc. I'd be interested in this as well. If you find a solution, please let me know! – Clayton Dukes Feb 10 '13 at 23:31
  • @Clayton - huh...he doesn't mention what kind of router he is using in his question so I wonder how you know he couldn't just setup syslog on his router? – August Feb 11 '13 at 12:42
  • @August, if he's asking about NetFlow, he's talking about a Cisco router. But that is irrelevant as syslog doesn't provide the same data that NetFlow does. Syslog is used mainly for Fault mgmt with some Performance mgmt. NetFlow is more Perf and Security and also provides end-to-end flows. – Clayton Dukes Feb 11 '13 at 14:47
  • @Clayton - my point was to let marc respond, but he seems to have abandoned his question... In the question, he _wants_ syslog, not Netflow. I am just suggesting he output syslog directly instead of converting NetFlow to syslog. – August Feb 11 '13 at 16:38
  • @Clayton - You are right we are on cisco, and this is for a ISP so it's a special request. It's not that I would like to do something that can be done with usual syslog stuff. – Marc Riera Feb 22 '13 at 13:54
  • Maybe you could consider another backend than syslog: kafka. There are existing syslog2kafka tools. Afterwards, you can use logstash for instance to convert from kafka to *. – aif Aug 04 '18 at 10:19

1 Answers1

0

If I understand correctly, you're looking to monitor a NetFlow stream for sessions that match a particular template, and then send a pre-canned syslog event with the details? I'm not aware of any tool that does just that, but there are two possibilities that I am aware of:

  1. Write your own. The big bottleneck is going to be the NetFlow parsing, but using an open source NetFlow library like flowd will be a big help there. That will take care of all the versioning information, and should provide a convenient data structure for forming your syslog message. This will be your best option performance-wise, because it won't be doing any other tasks.

  2. Purchasing an off-the-shelf NetFlow collector with alerting functionality. The exact details of setting one up vary from product to product, but in general you'll be setting a strict filter and setting a threshold very low so that you'll get an alert (which is usually a syslog event) for each session. The overhead of the rest of the product will potentially cut into the speed, and commercial products will have a cost, but it will likely be easier to deploy. (full disclosure: I work at a company that sells a NetFlow collector)

John Murphy
  • 186
  • 5