GithubHelp home page GithubHelp logo

Comments (6)

rkosegi avatar rkosegi commented on July 30, 2024 1

you're then missing label for source in config file:

....
  metrics:
    prefix: netflow
    items:
      - name: traffic_detail
        description: Traffic detail
        labels:
....
          - name: source                   # this item
            value: source_ip
            converter: ipv4

Example output:

netflow_flow_traffic_detail{destination="8.8.8.8",destination_asn_org="GOOGLE",destination_country="US",destination_port="443",input_interface="7",input_interface_name="bridge1",output_interface="8",output_interface_name="",protocol="udp",sampler="192.168.1.3",source="192.168.1.100",source_asn_org="",source_country="local"} 28070
netflow_flow_traffic_detail{destination="8.8.8.8",destination_asn_org="GOOGLE",destination_country="US",destination_port="53",input_interface="7",input_interface_name="bridge1",output_interface="8",output_interface_name="",protocol="udp",sampler="192.168.1.3",source="192.168.1.100",source_asn_org="",source_country="local"} 53261

from netflow-collector.

rkosegi avatar rkosegi commented on July 30, 2024 1

For reference, here is my full config

---
netflow_endpoint: 0.0.0.0:30000
telemetry_endpoint: 0.0.0.0:30001
flush_interval: 36000
pipeline:
  filter:
    - local-to-local: true
    - match: source_ip
      is: 0.0.0.0
    - match: source_ip
      is: 255.255.255.255
    - match: destination_ip
      is: 0.0.0.0
    - match: destination_ip
      is: 255.255.255.255
  enrich:
    - interface_mapper
    - maxmind_country
    - maxmind_asn
    - protocol_name
  metrics:
    prefix: netflow
    items:
      - name: traffic_detail
        description: Traffic detail
        labels:
          - name: sampler
            value: sampler
            converter: ipv4
          - name: protocol
            value: proto_name
            converter: str
#          - name: source_port
#            value: source_port
#            converter: uint32
          - name: destination_port
            value: destination_port
            converter: uint32
          - name: source_country
            value: source_country
            converter: str
            on_missing: empty_str
          - name: destination_country
            value: destination_country
            converter: str
          - name: source
            value: source_ip
            converter: ipv4
          - name: destination
            value: destination_ip
            converter: ipv4
          - name: input_interface
            value: input_interface
            converter: uint32
          - name: output_interface
            value: output_interface
            converter: uint32
          - name: source_asn_org
            value: source_asn_org
            converter: str
          - name: destination_asn_org
            value: destination_asn_org
            converter: str
          - name: output_interface_name
            converter: str
            value: output_interface_name
          - name: input_interface_name
            converter: str
            value: input_interface_name
extensions:
  maxmind_country:
    mmdb_dir: /usr/share/GeoIP/
  maxmind_asn:
    mmdb_dir: /usr/share/GeoIP/
  interface_mapper:
    "1": wan
    "2": lan
    "7": bridge1

from netflow-collector.

rkosegi avatar rkosegi commented on July 30, 2024 1

Hi @hunterelectros for 1), you can open MR with missing info to README.
for 2 and 3, can you open discussion?

from netflow-collector.

rkosegi avatar rkosegi commented on July 30, 2024

Hi!

What you're asking for is just a matter of aggregation. Query such as this should give you metrics per-source address:

sum by (source) (rate(netflow_flow_traffic_detail{ ...put additonal filter here }[1m]))

from netflow-collector.

hunterelectros avatar hunterelectros commented on July 30, 2024

Hi! I think you misunderstood the question a little.
We get metrics in the form, for example:
netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="",source_country="US"} 255
netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="DE"} 164
netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="GB"} 333
netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="NL"} 162
netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="SG"} 164
netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="13445",source_country="US"} 766
netflow_flow_traffic_detail{destination_asn_org="Company Estonia OU",destination_country="IL",input_interface="3",output_interface="22",protocol="udp",sampler="172.17.0.1",source_asn_org="AMAZON-02",source_country="US"} 689

172.17.0.1 - is IP our internal firewall, who send flow to this exporter.
And we would like to see source addresses in the metrics, and not converted to source AS and source countries.
Is it possible?....

from netflow-collector.

hunterelectros avatar hunterelectros commented on July 30, 2024

Yes! Its working as needed!

  1. I recommend adding all available metrics options to the readme so that people like me have fewer questions in the future.
  2. flush_interval paramater - please explain what it means?
  3. Does this exporter only support version 5 of the netflow protocol? Version 9 is not supported yet? If version 9 is not supported, are there plans to add such functionality?

from netflow-collector.

Related Issues (4)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.