Log Collection Netflow: References - Netflow Collection Configuration Parameters

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

Use this section when you are looking for descriptions of the Netflow Collection user interface and definitions of the features of the user interface.

To access the Netflow Collection Configuration Parameters:

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select Netflow/Config from the drop-down menu.

EvSrcTbVw.png

Features

The Netflow/Config view in the Event Sources tab has two panels: Event Categories and Sources.

Event Categories Panel

In the Event Categories panel, you can add or delete Netflow event source types.

                          
FeatureDescription
Icon-Add.pngDisplays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters.
Icon_Delete_sm.pngDeletes the selected event source types from the Event Categories panel.
Checkbox.pngSelects event source types.
NameDisplays the name of the event source types that you have added.

Available Event Sources Types Dialog

The Available Event Source Types dialog displays the list of supported event source types.

                           
FeatureDescription
Checkbox.pngSelects the event source type that you want to add.
NameDisplay the event source types that are available to add.
CancelCloses the dialog without adding an event source type.
OKAdds the selected event source type to the Event Categories panel.

Sources Panel

Use this panel to review, add, modify, and delete event source parameters for the event source type you selected in the Event Categories panel.

Toolbar

The following table provides descriptions of the toolbar options.

                          
OptionDescription
Icon-Add.pngOpens the Add Source dialog in which you add a file directory for the event source type that you selected in the Event Categories panel.
Icon_Delete_sm.pngDeletes the selected file directories.
icon-edit.pngOpens the Edit Source dialog in which you modify the configuration parameters for the selected file directory.

When you select multiple event sources, opens the Bulk Edit Source dialog in which you can edit the parameters values for the selected file directories. 

Refer to Import, Export, and Edit Event Sources in Bulk for detailed steps on how to use this function.
ImportSourceIcon.PNGOpens the Bulk Add Option dialog in which you can import event source file directory parameters in bulk from a comma-separated values (CSV) file.

Refer to Import, Export, and Edit Event Sources in Bulk for detailed steps on how to use this function.
ExportSourceIcon.PNGCreates a .csv file that contains the parameters for the selected file directories.

Refer to Import, Export, and Edit Event Sources in Bulk for detailed steps on how to use this function.

Add or Modify Source Dialog

In this dialog, you add or modify a file directory for the selected event source.

                       
FeatureDescription
Netflow Source ParametersLists the Netflow event source parameters populated with the default values. Enter or modify the appropriate values.
CancelCloses the dialog without adding a file directory or saving the parameter values for the selected file directory.
OKIn the Add Source dialog, adds the file directory and its parameters. In the Edit Source dialog, applies the parameter value changes for the selected file directory.

Netflow Source Parameters

The following table provides descriptions of the source parameters.

                                    
NameDescription
Basic
PortSpecify the port number configured for the Netflow event source.
Security Analytics opens the 2055, 4739, 6343, and 9995 ports for Netflow by default. You can open other ports for Netflow if required.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
Advanced
InFlight Publish Log ThresholdEstablishes a threshold that, when reached, Security Analytics generates a log message to help you resolve event flow issues. The Threshold is the size of the netflow event messages currently flowing from the event source to Security Analytics.

Valid values are:
  • 0 (default) - disables the log message.
  • 100-100000000 -  generates a log message when this log collector has processed the specified number of netflow events.  For example, if you set this value to 100, Security Analytics generates a log message when 100 netflow events of the specific netflow version (v5 or v9) have been processed.
Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables/disables debug logging for the event source.

Valid values are:
  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.
This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.

If you change this value, the change takes effect immediately (no restart required).
CancelCloses the dialog without making adding an event source type.
OKAdds the parameters for the event source.

Tasks

Step 1: Configure Netflow Event Sources in Security Analytics

Step 2: Configure Netflow Event Sources to Send Events to Security Analytics

You are here: Netflow Collection Configuration Guide > lgnetRef

Attachments

    Outcomes