Installation

Upgrading from prior version to 3.7 and above

If you are not upgrading from previous versions of NetFlow Analytics for Splunk App and Technology Add-On for Netflow, skip this section and go to Pre-installation Steps section.

In the NetFlow Analytics for Splunk App starting from version 3.7 and above, to comply with Splunk guidelines, by default the events are inserted into the default index (index=main). Summary data is stored by default in summary index (index=summary).

In the previous versions (3.6 or older) the following indexes were created during the installation and operation:

flowintegrator – the main index for syslogs sent by NetFlow Optimizer

flowintegrator_pct_of_total - a summary index filled with data to speed up calculations of "% of Total" fields on the dashboards

Upgrading Technology Add-on for NetFlow (TA-netflow)

Starting from release 3.7 default index is index=main.

When you upgrade to version 3.7, if you want to continue using the old index, please create $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file if it does not already exist, and add the following lines to it:

[flowintegrator]
homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/db
coldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddb
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb

The TA-netflow is expecting that the sourcetype of events sent from Netflow Optimizer would be set to "flowintegrator", so please add the following lines to $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file:

[udp://10514]
sourcetype = flowintegrator
index = flowintegrator

Restart Splunk for the changes in configuration to take effect.

Upgrading Netflow Analytics for Splunk App (netflow)

Starting from release 3.7 by default the summary indexes are saved to index=summary.

To use the old data from the old summary indexes in the transition period, first the old indexes must be reintroduced in the indexes.conf and the macro.conf needs to be amended in the $SPLUNK_ROOT/etc/apps/netflow/local.

Create this file if it does not already exist $SPLUNK_ROOT/etc/apps/netflow/local/indexes.conf and add the following lines to it:

[flowintegrator_pct_of_total]
homePath = $SPLUNK_DB/flowintegrator_pct_of_total/nfi_traffic/db
coldPath = $SPLUNK_DB/flowintegrator_pct_of_total/nfi_traffic/colddb
thawedPath = $SPLUNK_DB/flowintegrator_pct_of_total/thaweddb

Create this file if it does not already exist $SPLUNK_ROOT/etc/apps/netflow/local/macros.conf and add the following lines:

[netflow_index]
definition = (index=main OR index=flowintegrator) sourcetype=flowintegrator
[summary_index_pct_of_total]
definition = (index=summary OR index=flowintegrator_pct_of_total)

Restart Splunk for the changes to take effect.

Pre-installation Steps

This App relies on NetFlow Optimizer software. To download a free trial of NetFlow Optimizer, please visit https://www.netflowlogic.com/download/ and register to receive the FREE trial key. Please see NetFlow Optimizer Installation and NetFlow Optimizer Administration Guide and follow instructions for your platform.

NetFlow Analytics for Splunk and Add-on are designed to work together. The Add-on can be used with the App or with Splunk Enterprise Security.

  1. Download Technology Add-on for NetFlow from Splunkbase https://splunkbase.splunk.com/app/1838/

  2. Download NetFlow Analytics for Splunk from Splunkbase https://apps.splunk.com/app/489/

  3. Download Force Directed App for Splunk to use Topology View https://splunkbase.splunk.com/app/3767/

Installing into a Single Splunk Server

Technology Add-on for NetFlow Installation

  1. Install Technology Add-on for NetFlow.

  2. Create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file, and add the following lines to it:

    [udp://10514]
    sourcetype = flowintegrator
  3. By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, for example flowintegrator, please create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file, and add the following lines to it:

    [flowintegrator]
    homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/db
    coldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddb
    thawedPath = $SPLUNK_DB/flowintegrator/thaweddb

    In that case make sure your $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file contains the following:

    [udp://10514]
    sourcetype = flowintegrator
    index = flowintegrator
  4. Restart Splunk

NetFlow Analytics for Splunk App Installation

Starting from version 3.7, to comply with Splunk guidelines, by default the events are inserted into the default index (index=main) and the summary indexes are saved to index=summary. In previous versions NFO events were inserted into index [flowintegrator], and the following summary indexes were created and used: [flowintegrator_exp_ips] and [flowintegrator_pct_of_total]. To use or continue using custom indexes for your NetFlow events, please perform the following:

  1. Install NetFlow Analytics for Splunk App.

  2. Create the file if it does not already exist: $SPLUNK_ROOT/etc/apps/netflow/local/indexes.conf and add the following lines to it:

    [flowintegrator_pct_of_total]
    homePath = $SPLUNK_DB/flowintegrator_pct_of_total/nfi_traffic/db
    coldPath = $SPLUNK_DB/flowintegrator_pct_of_total/nfi_traffic/colddb
    thawedPath = $SPLUNK_DB/flowintegrator_pct_of_total/thaweddb
  3. Create the file if it does not already exist: $SPLUNK_ROOT/etc/apps/netflow/local/macros.conf

    and add the following lines to it:

    [netflow_index]
    definition = index=flowintegrator sourcetype=flowintegrator
    [summary_index_pct_of_total]
    definition = index=flowintegrator_pct_of_total
  4. Create the file if it does not already exist: $SPLUNK_ROOT/etc/apps/netflow/local/savedsearches.conf

    and add the following lines to it:

    [cache_total_traffic]
    action.summary_index._name = flowintegrator_pct_of_total
  5. Restart Splunk for the changes to take effect.

Installing into a Distributed Splunk Environment

If you have Splunk distributed environment (separate search heads / indexers / forwarders), install NetFlow Analytics for Splunk App on search heads. Install Add-on on search heads and indexers/heavy forwarders.

There are three ways to ingest NetFlow Optimizer events into Splunk:

  1. NFO sends events directly to Splunk indexer

  2. NFO sends events directly to Splunk Universal Forwarder (they could be installed together or on separate machines)

  3. NFO sends events to syslog-ng or rsyslog, and Splunk Universal Forwarder sends them to Splunk indexers

Configure Universal Forwarder Input

Create or modify %SPLUNK_HOME%/etc/system/local/inputs.conf file as follows. In general there are two options, either to listen directly for netflow events on a specific port or optionally to monitor files created by syslog-ng or rsyslog.

Receiving Syslogs Directly from NFO (UDP port 10514)

Add the following lines to inputs.conf file and modify it for your netflow index, if necessary:

[udp://10514]
sourcetype = flowintegrator
index = flowintegrator

Configuring Universal Forwarder with syslog-ng or rsyslog

In this scenario syslog-ng or rsyslog are configured to listen to syslogs sent by NFO on a UDP port 10514. Syslog-ng or rsyslog are usually writing the logs into configurable directories. In this example we assume that those are written to /var/log/netflow.

Add the following lines to inputs.conf file and modify it for your netflow index, if necessary:

[monitor:///var/log/netflow]
sourcetype = flowintegrator
index = flowintegrator

It is very important to set sourcetype=flowintegrator and to point it to the index where Netflow Analytics for Splunk App and Add-on are expecting it.

Configure Universal Forwarder Output (Target Indexers)

During the installation of the Universal Forwarders a Receiving Indexer can be configured, as it can be seen here:

Screen Shot 2015-07-27 at 11.28.03.png

It is an optional step during the installation. If it was not configured or if load balancing is required, additional Receiving Indexers can be added later by adding to the %SPLUNK_HOME%/etc/system/local/outputs.conf file:

[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.1.0.100:9997,10.1.0.101:9997

More info about load balancing: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setuploadbalancingd#How_load_balancing_works