NetFlow Recorder
This page enables you to look back in time for security issues. You can set rolling *flow capture and replay period of time, and store *flows in memory or on disk.
Please enable throttling if NFO output is configured to send data out over UDP network. Without throttling NFO will send all recorded *flows instantly, which may result in losses. Add the following lines to /server/etc/server.cfg
THROTTLE_OUTPUT 1
THROTTLE_OUTPUT_RATE 1000
Throttling output rate is the number of syslogs/JSON messages to be sent out every second.
Play, Start recording, Stop recording buttons
Press 
to start capturing flow records. Press 
button to send recorded flow records in syslog or JSON format to your SIEM to gain complete visibility of past network traffic. Press 
to stop recording.
The service has the following parameters:
| Parameter | Description |
|---|---|
| Rolling Time Interval | Rolling time period for continues recording of flow records. You can specify a time unit after a time value 'X', such as Xd, Xh, Xm, or Xs to represent days (d), hours (h), minutes (m), and seconds(s) respectively. (e.g. 10d 8h 30m 30s). Default 10 minutes |
| Record in memory or disk (0 - Memory, 1 - Disk) | You have an option to keep recorded flow records in memory or on disk |
| Path to disk directory | If you selected disk option above, set the path to directory where flow records will be recorded. Default is ../../logs/replay |
| Disk recorder buffer size, bytes | The size of the memory buffer block for flow records to be accumulated before written to disk. Default is 4MB (4194304 bytes) |
| Disk recorder threads | The number of processor threads reserved for writing data to disk. Default is 2 |
| Disk recorder queue, records | Size of the buffer to hold records in queue in case of peaks in incoming flow records. Default is 10,000 |
| Disk file chunk size, messages | File rotation size in number of messages. Default is 10,000 (*) |
| Disk file rotation period, msec | File rotation time interval in msec. Default is 1 sec (*) |
| Exporter IPs to record watchlist | If you want to limit capture and replay to a number of NetFlow exporters, you can specify their IP addresses here |
(*) The file is closed when the specified number records (chunk size) is written or file rotation time elapses, whichever comes first.