Configure Netflow Event Sources

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This topic tells you how to configure the Netflow collection protocol.

Configure a Netflow Event Source

To configure a Netflow Event Source:

  1. Go to ADMIN> Services from the NetWitness Suite menu.
  2. Select a Log Collection service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    Event Sources tab is displayed.

  1. In the Event Sources tab, select Netflow/Config from the drop-down menu.
  2. In the Event Categories panel toolbar, click .

    The Available Event Source Types dialog is displayed.

  3. Select the netflow event source type and click OK.

    Available Event Source Types dialog is displayed.

    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click  in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Enter a port number in the Port field, and ensure the Enabled box is checked.

    Note: NetWitness Suite opens the 2055, 4739, 6343, and 9995 ports on the firewall by default.  You can open other ports for Netflow if required.

    For details of other parameters, see Netflow Collection Parameters below.

  6. Click OK.

The new event source is displayed in the list.

Netflow Collection Parameters

The following table provides descriptions of the Netflow Collection source parameters.

                                         
NameDescription
Basic
PortSpecify the port number configured for the Netflow event source.
NetWitness Suite opens the 2055, 4739, 6343, and 9995 ports for Netflow by default. You can open other ports for Netflow if required.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
Advanced
InFlight Publish Log Threshold

Establishes a threshold that, when reached, NetWitness Suite generates a log message to help you resolve event flow issues. The Threshold is the size of the netflow event messages currently flowing from the event source to NetWitness Suite .

Valid values are:

  • 0 (default) - disables the log message.
  • 100-100000000 -  generates a log message when this Log Collector has processed the specified number of netflow events.  For example, if you set this value to 100, NetWitness Suite generates a log message when 100 netflow events of the specific netflow version (v5 or v9) have been processed.
Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector .

Enables or disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).

CancelCloses the dialog without making adding an event source type.
OKAdds the parameters for the event source.
You are here
Table of Contents > Collection Protocols > Configure Netflow Event Sources

Attachments

    Outcomes