LogLogic Cisco NetFlow Log Configuration Guide

Similar documents
LogLogic Cisco NetFlow Log Configuration Guide

LogLogic General Database Collector for Microsoft SQL Server Log Configuration Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide

LogLogic Cisco IPS Log Configuration Guide

LogLogic Symantec Endpoint Protection Log Configuration Guide

LogLogic Blue Coat ProxySG Syslog Log Configuration Guide

Juniper Secure Access SSL VPN Log Configuration Guide

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide

LogLogic Microsoft SQL Server Log Configuration Guide

Microsoft Active Directory (AD) Service Log Configuration Guide

LogLogic Microsoft Internet Information Services (IIS) Log Configuration Guide

LogLogic IBM i5/os Collector Guide

LogLogic Check Point Management Station Log Configuration Guide

LogLogic Apache Web Server Log Configuration Guide

LogLogic McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

LogLogic Blue Coat ProxySG Log Configuration Guide

NetFlow Auditor Manual Getting Started

LogLogic Juniper Networks JunOS Log Configuration Guide

LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide

How-To Configure NetFlow v5 & v9 on Cisco Routers

Configuring a Load-Balancing Scheme

NetFlow v9 Export Format

Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export

Overview of Network Traffic Analysis

Virtual Fragmentation Reassembly

Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual

SOA Software API Gateway Appliance 7.1.x Administration Guide

Configuring NetFlow Secure Event Logging (NSEL)

TIBCO LogLogic Log Management Intelligence (LMI) Configuration and Upgrade Guide

SolarWinds Technical Reference

TIBCO LogLogic. SOX and COBIT Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

TIBCO LogLogic. HIPAA Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

Cisco UCS Director Payment Gateway Integration Guide, Release 4.1

Traffic monitoring with sflow and ProCurve Manager Plus

Sampled NetFlow. Feature Overview. Benefits

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Quick Start Guide. for Installing vnios Software on. VMware Platforms

Enabling NetFlow and NetFlow Data Export (NDE) on Cisco Catalyst Switches

Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Configuring a Load-Balancing Scheme

NetFlow Analytics for Splunk

Per-Packet Load Balancing

Flow-Based per Port-Channel Load Balancing

Content Filtering Client Policy & Reporting Administrator s Guide

Cyberoam Virtual Security Appliance - Installation Guide for XenServer. Version 10

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Desktop NETGEAR Genie

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Configuring a Load-Balancing Scheme

StarWind Virtual SAN Installing & Configuring a SQL Server 2012 Failover Cluster

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

TIBCO Fulfillment Provisioning Session Layer for FTP Installation

WhatsUpGold. v NetFlow Monitor User Guide

EMC Data Domain Management Center

Abstract. Avaya Solution & Interoperability Test Lab

eg Enterprise v5.2 Clariion SAN storage system eg Enterprise v5.6

HP TippingPoint Security Management System User Guide

Configuring NetFlow Switching

Integrated Traffic Monitoring

A message from Plixer International:

Sample Configuration: Cisco UCS, LDAP and Active Directory

Interworks. Interworks Cloud Platform Installation Guide

Firewall Support for SIP

Firewall Stateful Inspection of ICMP

Sample Configuration Using the ip nat outside source static

Using RADIUS Agent for Transparent User Identification

Using IIS Application Request Routing to Publish Lync Server 2013 Web Services

NetFlow Subinterface Support

WNMS Mobile Application

Configuring Network Address Translation (NAT)

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Parallels Plesk Control Panel

OneFabric Connect and iboss Internet Filtering Appliance

Parallels Plesk Panel

HP Web Jetadmin Database Connector Plug-in reference manual

axsguard Gatekeeper Internet Redundancy How To v1.2

SolarWinds Technical Reference

Flow Monitor for WhatsUp Gold v16.2 User Guide

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Accellion Secure File Transfer

Managing the System Event Log

Configuration Manual

Transparent Identification of Users

- Multiprotocol Label Switching -

GLBP - Gateway Load Balancing Protocol

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Copyright 2013 Trend Micro Incorporated. All rights reserved.

Transferring Files Using HTTP or HTTPS

NETGEAR genie Apps. User Manual. 350 East Plumeria Drive San Jose, CA USA. August v1.0

Constraining IP Multicast in a Switched Ethernet Network

Configuring Enhanced Object Tracking

TIBCO Hawk SNMP Adapter Installation

Managing the System Event Log

Installing and Configuring vcloud Connector

Transcription:

LogLogic Cisco NetFlow Log Configuration Guide Document Release: September 2011 Part Number: LL600068-00ELS090000 This manual supports LogLogic Cisco NetFlow Version 1.0, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 www.loglogic.com

Contents Preface About This Guide.........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Cisco NetFlow Log Collection Introduction to Cisco NetFlow............................................... 7 Prerequisites............................................................ 7 Enabling a Cisco Device to Send NetFlow Data................................. 7 Enabling the LogLogic Appliance to Capture Data............................... 8 Adding a Cisco NetFlow Device........................................... 8 Verifying the Configuration................................................. 9 Chapter 2 How LogLogic Supports Cisco NetFlow How LogLogic Captures Cisco NetFlow Log Data.............................. 11 Chapter 3 Troubleshooting and FAQ Recommended Sampling Rate............................................. 12 Troubleshooting......................................................... 12 Problems Retrieving Log Files Using Configured Collector..................... 12 Frequently Asked Questions............................................... 13 Cisco NetFlow Log Configuration Guide 3

4 Cisco NetFlow Log Configuration Guide

Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Cisco NetFlow enables LogLogic Appliances to capture logs from Cisco devices exporting NetFlow data. Once the logs are captured and parsed, you can generate reports and create alerts on Cisco NetFlow operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Cisco NetFlow Log Configuration Guide 5

Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Cisco NetFlow Log Configuration Guide

Chapter 1 Configuring LogLogic s Cisco NetFlow Log Collection This chapter describes configuration steps involved to enable a LogLogic Appliance to capture Cisco NetFlow logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Cisco NetFlow log data. Introduction to Cisco NetFlow................................................ 7 Prerequisites............................................................. 7 Enabling a Cisco Device to Send NetFlow Data.................................. 7 Enabling the LogLogic Appliance to Capture Data................................ 8 Verifying the Configuration................................................... 9 Introduction to Cisco NetFlow Cisco NetFlow provides IP application services, plus valuable information about network users and applications, peak usage times, and traffic routing. Prerequisites Prior to configuring Cisco NetFlow and the LogLogic Appliance, ensure that you meet the following prerequisites: Cisco networking device with a NetFlow-enabled IOS. (Cisco 2900, 3500, 3660, and 3750 do not support NetFlow.) See Cisco NetFlow Technical Overview here. LogLogic Appliance running v5.1 or later with the Cisco NetFlow Log Source Package Administrator access on the LogLogic Appliance Enabling a Cisco Device to Send NetFlow Data To configure a Cisco Device to send NetFlow data you will need to use the ip flow-export command through the Cisco s CLI. The following example shows the commands to configure the NetFlow version, IP, and port. Router# configure terminal Router(config)# ip flow-export version 9 Router(config)# ip flow-export destination 10.0.0.1 9995 For more details on configuring Cisco NetFlow options, please refer to Cisco documentation. Cisco NetFlow Log Configuration Guide 7

Enabling the LogLogic Appliance to Capture Data The following sections describe how to configure the LogLogic Appliance to capture Cisco NetFlow log data. Note: When configuring the NetFlow device please be sure that you have enabled the proper UDP port in the LogLogic Appliance Access Control list, if Access Control is enabled. Adding a Cisco NetFlow Device The LogLogic Appliance captures Cisco NetFlow logs using the NetFlow Collector. You must configure the Cisco NetFlow device with the correct version and port to make the logs available for searching. To add Cisco NetFlow as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Cisco NetFlow device Description (optional) Description of the Cisco NetFlow device Device Type Select Cisco NetFlow from the drop-down menu Host IP IP address of the Cisco NetFlow appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Cisco NetFlow Collector Configuration Incoming Port The port of the Appliance where the NetFlow data for this log source is directed. The port is chosen from a menu that offers port numbers 2055, 9555, and 9995. Although NetFlow devices can usually be configured to any port number, this collector restricts to these three choices so as to work with the LogLogic LMI Access Control facility. Note that if Access Control is used, any ports used by NetFlow must be configured in the Administration > Firewall Settings configuration page. Raw Data Forwarding Host (optional) IP address of the destination host. Raw Data Forwarding Port (optional) NetFlow port to forward to. Note: The Raw Data Forwarding feature is used to forward raw NetFlow data to any 3rd party NetFlow receiver in parallel to NetFlow collection on the LogLogic Appliance. This feature is global and applies to all NetFlow data received on the configured Incoming Port. 8 Cisco NetFlow Log Configuration Guide

Note: If collecting from Multiple NetFlow sources you only need to add the first source. All other sources usig the same configured NetFlow port will be auto-identified. If collecting from multiple NetFlow ports then one source must be manually configured for each port used. 1. Click Add. Figure 1 Adding a Device to the LogLogic Appliance 2. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Cisco NetFlow appliance, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration The section describes how to verify that the configuration changes made to Cisco NetFlow and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. Cisco NetFlow Log Configuration Guide 9

2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Cisco NetFlow device. If the device name (Cisco NetFlow) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, run the show ip flow export command from the CLI of the Cisco device. Confirm that one of the destinations is the LogLogic Appliance and has the correct Port number and Version. Figure 2 LogLogic Log Source Status 10 Cisco NetFlow Log Configuration Guide

Chapter 2 How LogLogic Supports Cisco NetFlow This chapter describes LogLogic s support for Cisco NetFlow. The LogLogic Appliance enables you to capture log data to monitor Cisco NetFlow events. How LogLogic Captures Cisco NetFlow Log Data................................ 11 How LogLogic Captures Cisco NetFlow Log Data A collector is required to listen for the log data from the Cisco NetFlow device as the data is transmitted in binary format. The Cisco NetFlow Collector collects the log data from the Cisco NetFlow device in real time and converts the binary logs to text. Figure 3 shows how Cisco NetFlow logs are captured and forwarded to the LogLogic Appliance for further processing. Figure 3 Cisco NetFlow with LogLogic Components and Processes for Real-Time Collection Once the data is captured, you can search it and generate reports. For more information on searching and creating reports, see the LogLogic User Guide and LogLogic Online Help. Cisco NetFlow Log Configuration Guide 11

Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Cisco NetFlow. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Recommended Sampling Rate.............................................. 12 Troubleshooting.......................................................... 12 Frequently Asked Questions................................................ 13 Recommended Sampling Rate The maximum recommended rate for receiving NetFlow data is 500 flows per second. If you are receiving at a higher rate then this, it is recommended to implement a sampling rate on the Cisco device to limit the amount of flows being sent. Below is a sample configuration. Router(config)# ip cef Router(config)# flow-sampler-map my-map Router(config-sampler)# mode random one-out-of 100 Router(config)# interface GigabitEthernet0/0 Router(config-if)# no ip route-cache flow Router(config-if)# ip route-cache cef Router(config-if)# flow-sampler my-map This configuration will send 1 out of every 100 NetFlow messages to the LogLogic Appliance. Set the appropriate ratio based on the real-life flow data, but do not exceed 500 flows per second. Troubleshooting Problems Retrieving Log Files Using Configured Collector If you are having general problems retrieving log files using your configured collector, you can run an Index Search against as follows: 1. In the navigation menu, click Search > Index Search. 2. Specify LogLogic Appliance as the Device Type and choose the appropriate Source Device. 3. Click the text box and hit Enter. Click Yes to retrieve all messages from the Cisco NetFlow devices. 12 Cisco NetFlow Log Configuration Guide

Frequently Asked Questions How does the LogLogic Appliance obtain the data from the Cisco NetFlow stream? LogLogic s Cisco NetFlow Collector runs on the LogLogic Appliance and listens on the specified port for the binary NetFlow stream from a Cisco NetFlow-enabled device. What access permissions are required? To configure a Cisco device to send a NetFlow stream, the user must have the proper permissions to make configuration changes to the Cisco device. How do I know what version and port NetFlow is sending on? Log into the Cisco device and run the show ip flow export command. The following is an example output: Flow export v5 is enabled for main cache Export source and destination details : VRF ID : Default Destination(1) 10.1.1.1 (9995) Version 5 flow records 73909 flows exported in 20903 udp datagrams 0 flows failed due to lack of export packet 24 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures Cisco NetFlow Log Configuration Guide 13

14 Cisco NetFlow Log Configuration Guide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information