This topic tells you how to configure the Netflow collection protocol.

Configure a Netflow Event Source

To configure a Netflow Event Source:

  1. Go to AdminIcon_25x22.png (Admin)  > Services from the NetWitness Platform menu.
  2. Select a Log Collection service.
  3. Select ic-actns.png  > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.


  1. In the Event Sources tab, select Netflow/Config from the drop-down menu.
  2. In the Event Categories panel toolbar, click ic-add.png.

    The Available Event Source Types dialog is displayed.

  3. Select the netflow event source type and click OK.


    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click ic-add.png in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Enter a port number in the Port field, and ensure the Enabled box is checked.

    Note: NetWitness Platform opens the 2055, 4739, 6343, and 9995 ports on the firewall by default.  You can open other ports for Netflow if required.

    For details of other parameters, see Netflow Collection Parameters below.

  6. Click OK.

The new event source is displayed in the list.

Netflow Collection Parameters

The following table provide descriptions of the basic Netflow Collection parameters.

PortSpecify the port number configured for the Netflow event source.
NetWitness Platform opens the 2055, 4739, 6343, and 9995 ports for Netflow by default. You can open other ports for Netflow if required.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
CancelCloses the dialog without making adding an event source type.
OKAdds the parameters for the event source.

The following table provide descriptions of the advanced Netflow Collection parameters.

InFlight Publish Log Threshold

Establishes a threshold that, when reached, NetWitness Platform generates a log message to help you resolve event flow issues. The Threshold is the size of the netflow event messages currently flowing from the event source to NetWitness Platform .

Valid values are:

  • 0 (default) - disables the log message.
  • 100-100000000 -  generates a log message when this Log Collector has processed the specified number of netflow events.  For example, if you set this value to 100, NetWitness Platform generates a log message when 100 netflow events of the specific netflow version (v5 or v9) have been processed.

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector .

Enables or disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).