NetFlow Analytics for Splunk
Contents
1. It could be useful to reinforce Palo Alto Networks firewall policies Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Palo Alto Networks Top Connectors This dashboard monitors host which generate most connections in your network It is useful for identifying hosts that make most connections but could be omitted from top bandwidth consumers because of the small packets they send e g port scanners The dashboard shows connections generated by each host Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Top Applications This dashboard monitors traffic by Application as identified by Palo Alto Network devices It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic volume and connections attributed to each application recognized by Palo Alto Networks devices Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Top Applications and Users This dashboard monitors traffic by Application and Users as identified by Palo Alto Network devices It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic volume and connections attributed to each application recognized by Palo Alto Netwo2. results NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 24 Cisco Top Destinations This dashboard a k a Top Listeners monitors host which receive most traffic The top of the dashboard has a map showing geographical locations of top destinations of the traffic in your network It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic volume and connections count created and denied received by each host Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Cisco Top Violators This dashboard show hosts with most traffic of denied flows It could be useful to reinforce Cisco ASA firewall policies Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Cisco Top Connectors This dashboard monitors host which generate most connections in your network It is useful for identifying hosts that make most connections but could be omitted from top bandwidth consumers because of the small packets they send e g port scanners The dashboard shows connections created by each host Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Palo Alto Networks Palo Alto Networks dashboards show the output from NetFlow Integrator P
3. www netflowlogic com connect support NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 27
4. 0 Bytes 112 29 Kbps 48 64 MB Reports Reports section contains dashboards built to be printed or exported to PDF The following reports are available today e Top Talkers e Top Listeners e Top Host Pairs Traffic by Subnets dashboard The Traffic by Subnets dashboard monitors subnets specified in NFI Module 10011 Network Subnets Monitor configuration Please refer to NetFlow Integrator User Guide for details The Traffic by Subnets dashboard is useful for real time and historical monitoring of bandwidth utilization in specified subnets The dashboard shows traffic In Out and in Both directions Traffic for the top 10 by traffic volume monitored subnets is shown in timeline panels The table below shows for each subnet such details as Source IP Traffic speed and volume by direction as well as packet rate information NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 16 Traffic by Subnets Exporter group Exporter Source IP mask Subnet IP mask Protocol Time Range All exporters O Al a Quri Traffic In 290 Traffic Out 0 1 108 58 235 21 24 45 0 6 1 24 45 1 147 4 24 Traffic by Protocol dashboard The Traffic by Protocol dashboard monitors traffic in your network by transport protocol going through each of the network devices It is useful for real time or historical monitoring of you traffic composition The App is packaged with protocols csv lookup file which is used to displ
5. 1 Access the App NetFlow Analytics for Splunk ccccccococncnnccccconcnncnononncnncnononncnnnnnnonnnnnnonnnncnnnnnnonnrnnenonnns 11 Heraut DSTO SS oraciones 11 Dashboards navigation OVEIVICW cccccccccccsseeeceecseeeecceecsaesececessaaeeeeeeseueceesesaueeeeessaaaeeeesssaaeeeeessaaaaeees 12 ASTID O AEC OVS Measures 12 NetFlow Logic gt Traffic Overview dashboard ccccccccocnccnccccoonconnconnoncnnnnonnnncnnnnononnnnnononannnnnnnonannnnnnnnnanenns 13 DANO WIC Dy HOSTO arar rai ele 13 Traffic by Source IP dashboard oooocccccncccccccoonncnnnnncnononanncnnnnonononnnnnnnnnnnononnnnnnnnnnnnnonnnnnnnnnnnnnnnnnananenoss 13 Traffic by Destination IP dashboard cccccooocccnccccccnccnncnnonncnnncnnnnncnnonononnnononononnnnnnnonnnrrnnnnonanrrnnnnnnanennnoss 14 culo FT OLO COL o 15 Talle DY ROS Pars CaSO i Os asomado 15 PP o UU ROO OO A 16 Traffic by Subnets dashboard tartas 16 Trame DY PrO COM CaSO Oa arcas EEE O EAT 17 Connections dashboardS a resiscezcccateadtnenaassdieresicadsneiese vey sendenidaunzactarowtianduecseewaduendiieduiesndeateeesdeadsneeadsadnendedanes 18 Bandwidth by Network Devices ccccccseececceeeeeeeeeeeeeeceeeeeceeeeeeeseaeeeeceeeeessaaeeeeseaeeeessaeeessaneeseaaeeeeesaegs 18 Top Devices by Traffic dashboard occccconncccccccconcnnnccnnoncnnnocnnnncnnnnonnnnnnnnnnnnnnnnnnnonannnnnnnonanrnnnnnnnanennnns 18 Top Devices by Packet Rate dashboard ccccccconcccnccccooncnnncononncnnonononnnonononancnonon
6. 5 24 HP E2620 48 upper 10 0 5 24 HP E2620 48 Traffic by Autonomous Systems dashboard The Traffic by Autonomous Systems AS dashboard monitors traffic by AS To see data in this dashboard enable and configure Module 10066 Autonomous Systems Monitor Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Select if you want to see incoming or outgoing traffic by AS Indicate if you want to see statistics for IPv4 or IPv6 or both Traffic by Autonomous Systems Device group Device recti Time Range a All n D D Last 60 minutes v Submit Autonomous System Statistics pan lS lt os 10 0 5 21 GWO2 nfclab 10 05 22 MA 10 05 24 HP E2620 48 upper E 199 45 8 45 E 199 45 8 46 Traffic by CBQoS dashboard The Traffic by CBQoS dashboard enables your organization to analyze and prioritize network traffic by Quality of Service QoS Using this dashboard you will be able to see how QoS policy is applied in each of your network device where it is enabled and reported and if necessary tweak Type of Service TOS settings To see data in this dashboard enable Module 10066 CBQoS Monitor Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 23 Network Traffic
7. Botnet Command and Control Trafic Monitor 10051 APT Traffic Monitor e 10052 Host Reputation Monitor Cisco ASA Monitor Settings 7 Enable Cisco ASA Montor Dashboards These dashboards provide visibility into your network traffic passing through your Cisco ASA devices It allows you to view the top bandwidth consumers violators connectors and destinations during the time interval which is configurable through each module eg 30 seconds These dashboards show traffic based on Cisco ASA NSEL NetFlow Make sure you have the following Modules enabled 10018 Top Bandwidth Consumers for Cisco ASA 10019 Top Traffic Destinations for Cisco ASA 10020 Top Policy Violators for Cisco ASA 10021 Top Hosts wah most Connections for Cisco ASA Palo Alto Networks Settings Enable Palo Alto Networks Dashboards NetFlow views are based on NetFlow data produced by Palo Alto Networks devices and converted to sysiog messages by 3rd party software NetFlow Integrator These dashboards show traffic based on Palo A o Networks devices Make sure you have the following Modules enabled e Enable NetFlow Integrator Palo Aho Networks Modules 10030 through 10035 and Converter 20093 Network Traffic by CBQoS Settings 9 Enable DNS Security Dashboard This dashboard shows an average response time and top 10 users of each monitored DNS server Make sure you have the following Module enabled e 10004 DNS Monitor GEO IP Monitor Settings 7 Enable GEO IP Monitor Da
8. NetFlo Flow NetFlow Analytics for Splunk User Manual Version 3 5 1 September 2015 Copyright 2012 2015 NetFlow Logic Corporation All rights reserved Patents Pending Contents ME OOC Nts es tem cee rt nite ee ec E ce wenn E 3 BUT PP o PP A eee ee eee 3 nn E 4 Installing into a Single Splunk Server ooooccncccccooccnnccononcnnnconnnncnnnnnnnnncnnnononnnrnnnnnnnnnrnnnnnnnnnrnnrnnnanrrnnnnnnanens 4 A ee ee A 5 ED ne a ee E E ee em eee ee eee 6 Installing into a Distributed Splunk Environment ccccccseeeecceeeeeeeeeeeeeeeeeceeeeseeeeceeeeseeeseeeeeseaeeeeeessaaeeeees 7 OO TIM o A 7 Configuring Universal Forwarders with NFI oooonccnnnncccncncconccnnnncconnooonccnnnnnnnonnnannnonnnonononnannnnnnnncnnnnnnos 8 Configure Universal Forwarder Output Target INdexers ccccccoonncnnccoconncnnccononccnnononanononononanenonoss 8 Configure Universal Forwarder Input ccccccccccsssseeeeeceeeeeeeeeeeeeeeeeeseeeeceeeeseeeeeeesaeaeeeeeesseeeeeeeaas 9 Receiving Syslogs Directly from NE 1 cccccccccsseeeceeeceeeseeeeeceeeeeeeeeseeseeeeeeseaeeeeeeseaaseeeeesaaaeeeeesaaaees 9 Configuring Universal Forwarder with syslog Nng Or rSySlOJ ccoooocccnccccooncnncocnnononncnnnancnnnononanenonoss 9 O A eneuteneastietecseneceaeenesereeacceteneeete 10 DEVICES ali ONIME DOLO soriana ras 10 o A 10 Is A e An 10 OAT GAG E nitritos T 10 COntgurindg HUNK 622 acicate 10 a Eo AAPP A 1
9. P input and output interfaces and time range NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 12 Traffic by Protocol and Port Device group Device Source IP mask Destnaton IP mask Protocol Src Port Dest Pon Sc DSCP DestOSCP input Int Output int Time Range Ali devices O A Qo o gt z s e Last 60 minutes Traffic by Protocol and Port E 0 gre other D O udp other 1026 udp cap 1029 tcp solid mux E 161 udp snmp E 2055 udp iop EB 3389 tcp ms wbt server en 1 2 Y Please note that source and destination IP mask filters could be specified as subnets IP mask as full IP addresses 199 45 1 45 or as a partial IP address 199 45 1 NetFlow Logic gt Traffic Overview dashboard The Overview dashboard is the top view aimed to provide a summary on traffic over a time period The views can be filtered by the Device Group Device and Time Range The panels show Top Traffic by Source IP Top Traffic by Destination IP Top Traffic by Protocol and Port Top Traffic by Protocol Top Traffic by Protocol Top Devices by Traffic Top Interfaces by Traffic by Device Top Traffic by Source IP im ago Top Traffic by Destination IP 20 5 A 12 40 PM 12 50 PM Top Traffic by Port and Protocol Im ago Top Traffic by Protocol 10 other 30 1026 20 5 1029 tep solid mux N y 161 udp snmp 2055 P 10 Top Devices by Traffic 1m sgo Top Interfaces by Traf
10. alo Alto Networks Module set which in its turn designed to handle Palo Alto Network proprietary NetFlow v9 fields Palo Alto Networks Overview The Palo Alto Networks Overview dashboard aimed to provide a summary on traffic over selected period time The panels show Top Bandwidth Consumers Top Destinations Top Violators Top Connectors Top Applications and Top Applications and Users Palo Alto Networks Top Bandwidth Consumers This dashboard a k a Top Talkers monitors host which generate most traffic in your network It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic volume and connections count created and denied generated by each host Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 25 Palo Alto Networks Top Destinations This dashboard a k a Top Listeners monitors host which receive most traffic It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic volume and connections count created and denied received by each host Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Palo Alto Networks Top Violators This dashboard show hosts with most traffic of denied flows
11. ay the protocol name and number according to IANA http www iana org assiqnments protocol numbers protocol numbers xhtml Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results The Traffic by Protocol dashboard allows viewing traffic details for each protocol just click on the protocol in the table below the graph and drill down panel opens below showing all traffic details for the selected protocol including source and destination hosts and port numbers network device interfaces and traffic speed and volume packet rate and connections Traffic by Protocol Destination IP mask Protocol c Pont Dest Port Src DSCP Dest DSCP Input Int Output Int Time Range Last 60 minutes B icmp EA 17 udp MD 2 igmp E 47 ore E 58 ipv6 icmp E 6 cp Average Traffic Rate Total Traffic Average Packet Rate Total Packets NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 17 Connections dashboards Traffic dashboards described in the previous sections are based on NFI Modules that consolidated flow data and report top hosts by volume Modules 10011 10064 10067 default Module Connections dashboards are based on NFI Module 10063 which reports top hosts by the number of connections regardless of traffic volume There four dashboards to monitor host by connections e Connections by Source IP e Connections by De
12. boards which present bandwidth usage users applications and violators etc enabling the continual reinforcement of firewall policies This guide is intended for network and security analysts who use the App to monitor and investigate problems For additional NFI information please visit www netflowlogic com NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 3 Installation Installing into a Single Splunk Server 1 Download Technology Add on for NetFlow from Splunkbase https splunkbase splunk com app 1838 2 Download NetFlow Analytics for Splunk from Splunkbase https apps splunk com app 489 3 Depending on the OS of the server that is running Splunk follow the installation recommendations from the Splunk website to install both Technology Add on and NetFlow for Splunk application Restart Splunk after installing the App Administrator 2 Messages Settings Activity Help Upload app Apps Upload app Restart required You must restart Splunk to install this app Installation will be completed after Splunk has restarted Restart later Restart Splunk 4 Launch the App splunk App Search amp Reporting Administrator App configuration The NetFlow Analytics for Splunk app has not been fully configured yet This app has configuration properties that can be customized for this Splunk in Depending on the app these properties may or may not be required Continue to app setup page NetFl
13. by CBQoS Bor BW ioi 100 100 10 110 Search dashboard This screen opens a Search dashboard within the App with search criteria set to macro netflow_search_traffic_rules To see all output from NFI enter index flowintegrator in search area To filter search results to a specific NFI Module please add the corresponding Module output ID to your search for example index flowintegrator nfc_id 20067 You can add additional filters or any other Splunk search commands to narrow your search results and or see various statistics You can also save your custom searches there Cisco ASA Monitor Cisco ASA Monitor dashboards show the output from NetFlow Integrator Cisco ASA Module set which in its turn designed to handle Cisco ASA NSEL Cisco Overview The Cisco Overview dashboard aimed to provide a summary on traffic over the last 24 hours The panels show Geo location of hosts on the map Top Bandwidth Consumers Top Destinations Top Violators and Top Connectors Cisco Top Bandwidth Consumers This dashboard a k a Top Talkers monitors host which generate most traffic in your network It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic volume and connections count created and denied generated by each host Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search
14. ce Groups Interface Groups are defined in interface groups csv lookup CSV file Please see Interface Groups section at the bottom of App s Settings gt Configuration page for more details Interface Groups Device group Services Services dashboards enable users to monitor performance and traffic statistics of selected services in your datacenter You need to enable corresponding NFI Modules in order to see data in these dashboards Service Response Time dashboard To see data in this dashboard enable and configure Module 10017 Service Performance Monitor Please refer to NetFlow Integrator User Guide for details Use Watch List parameter in this Module to specify the services you want to monitor Service Destination IP Destination Port and Transport protocol Asset Access Monitor To see data in this dashboard enable and configure Module 10014 Asset Access Monitor Please refer to NetFlow Integrator User Guide for details This dashboard shows top services with most unauthorized connections traffic from unauthorized users to services IP address destination port protocol configured in the NFI Module 10014 Asset Access Monitor and top peers with most unauthorized connections traffic to peers IP address and subnet mask also configurable in NFI Module 10014 section NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 20 Asset Access Monitor Device group Device ell o kaii Services with mo
15. e dashboard The Top Devices by Packet Rate dashboard is similar to Top Devices by Traffic dashboard but the network devices are sorted by packet rate rather than traffic volume You need to enable Module 10068 Top Packets Monitor in order to see data in this dashboard Top Devices by Packet Rate Device group evice Source IP mask th Protocol ort Src DSCP Dest DSCP Time Range Interfaces Utilization dashboard The Interfaces Utilization dashboard shows interfaces across your entire data center with most loaded interfaces first This dashboard works the best when the App is integrated with SNMP see SNMP Integration on page 10 As in Top Devices dashboards Interfaces Utilization allows drill down to examine traffic details going over the selected interface Click on an interface and panels below will show traffic speed statistics and hosts communicating over the selected interface Interfaces Utilization Watched Interfaces Utilization dashboard The Watched Interfaces Utilization dashboard is very similar to Interface Utilization but shows only the interfaces specified in watched interfaces csv lookup CSV file Please see Watched Interfaces section at the bottom of App s Settings gt Configuration page for more details NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 19 Watched Interfaces Utilization Interface Groups dashboard This dashboard shows consolidated information for Interfa
16. ed the events are sent to 10 1 0 100 9997 and 10 1 0 101 9997 More info about load balancing http docs splunk com Documentation Splunk latest Forwarding Setuploadbalancingd How load balanci ng works NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 8 Configure Universal Forwarder Input The inputs can be configured in the following file SPLUNK_HOME etc system local inputs conf In general there are two options either to listen directly for netflow events on a specific port or optionally to monitor files created by syslog ng or rsyslog Receiving Syslogs Directly from NFI inputs conf file example NFI sends data on a UDP port 10514 udp 10514 sourcetype flowintegrator index flowintegrator Configuring Universal Forwarder with syslog ng or rsyslog In this scenario syslog ng or rsyslog are configured to listen to syslogs sent by NFI on a UDP port 10514 Syslog ng or rsyslog are usually writing the logs into configurable directories In this example we assume that those are written to var log netflow inputs conf file example NFI sends data on a UDP port 10514 to syslog ng or rsyslog monitor var log netflow sourcetype flowintegrator index flowintegrator N B lt is very important to set sourcetype flowintegrator and to point it to the index where Netflow Analytics for Splunk App is expecting it NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential Adminis
17. er Guide for details It is useful to monitor average response time of all DNS servers used in your network The right panel also shows top DNS users DNS Monitoring Exporter group Top 10 DNS Users 19 199 O 9 9 O 2 O 2 2 219 O 5 8 8 Supplemental Traffic Statistics TCP Health To see data in this dashboard enable and configure Module 10060 TCP Health Please refer to NetFlow Integrator User Guide for details The TCP Health dashboard monitors and detects top hosts with the most TCP Resets Top hosts are defined by percent of TCP resets to the total number of Resets for definitive NetFlow exporter or by percent of TCP resets to the total number of host s connections The TCP Health dashboard shows top hosts with most count of failed TCP connections and top hosts with largest share of failed TCP connections GEO IP Monitor dashboard The GEO IP dashboard shows geographical locations of Source IP for inbound traffic and Destination IP for outbound traffic You need to enable Module 10040 Visitors by country NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 22 GEO IP Monitor Statistics provided for the last 24 hours Inbound Traffic Outbound Traffic Inbound Traffic Outbound Traffic oun Device Source IP 5 4 ce ows traffic ne Device 10 0521 255255255255 217 79 179 106 E 10 05 24 HP E2620 48 upper 00 upper 10 0 5 24 HP 2620 48 upper 10 0
18. fic by Device E Sep 22 2014 12 40 PM 7 16199253 Bandwidth by Hosts This section covers the dashboards and reports for monitoring traffic to and from hosts in your network such as top talkers top listeners top host pairs and many others Traffic by Source IP dashboard The Traffic by Source IP dashboard a k a Top Talkers monitors host which generate most traffic in your network It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic soeed and volume as well as packet rate and connections generated by each host NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 13 Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Traffic by Source IP Destination IP mask Protocol Src Port Dest Pon Src DSCP Dest DSCP input im Output im Time Range Last 60 minutes 9 199 45 8 245 NAME_NOT_FOUND y NAME_NOT_FOUND mM 19 19 19 mM mM m 2v Average Packet Rate Total Packets 426 pps 1 531 904 345 14 Kbps 148 28 MB AD 39 pps 139 264 27 74 Kbps 140 81 MB gt ph amp Bb amp F hh Ah Aa amp SG A On Ss aA Y n R gt ps 4 70 MB le The Traffic by Source IP dashboard allows viewing talker traffic details just click on the talker host IP or name and drill down panel opens below showing all traffic destinations including p
19. ls just click on the listener host IP or name and drill down panel opens below showing all traffic sources including ports network device interfaces and traffic and packet rate details Traffic by Protocol and Port The Traffic by Protocol and Port dashboard monitors traffic in your network by Service Name and Transport Protocol Port Number a k a Destination port The App is packaged with services csv lookup file which is used to display the service name and protocol according to IANA http www iana org assignments service names port numbers service names port numbers xhtml Traffic by Protocol and Port e Destination IP mask Protocol Src Port Dest Pon Sc DSCP Dest DSCP Input int Output Int Time Range Last 60 minutes DW 0 gre other D 0 udp other EB 1026 udp cap B 1029 tcp solid mux MA 161 udp snmp E 2055 udp liop E 443 tcp https Aann eran fembe mem Average Traffic Rate Total Traffic 2 50 Mbps 1 06 GB 1 73 Mbps 751 89 MB 199 12 Kbps 86 62 MB 193 69 Kbps 84 25 MB 178 91 Kbps 77 82 MB 173 82 Kbps 75 61 MB 44827 tcp unknown 135 99 Kbps 59 16 MB 54891 1cp unknown 114 32 Kbps 49 73 MB 1026 udp cap 110 05 Kbps 47 87 MB 1026 udp cap 108 12 Kbps 47 03 MB Traffic by Host Pairs dashboard The Traffic by Host Pairs dashboard shows consolidated bidirectional flows sorted by traffic volume You need to enable Module 10064 Top Pairs Monitor in order to see data in this dashboard The T
20. n File System hdfs HDPIP 8020 Resource Manager Address HDPIP 8050 Resource Scheduler Address HDPIP 8030 HDFS Working Directory user root splunkmr 4 Select Manager gt Virtual Indexes in the menu bar NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 10 5 Click the Virtual Index tab if it is not already selected and click New Virtual Index 6 Fill in the following fields Name any string Paths user flume netflow syslog 7 Click Save to save your index and return to the Virtual Indexes page Dashboards Access the App NetFlow Analytics for Splunk This guide assumes that Splunk v6 x and NetFlow Analytics for Splunk App v3 5 have been installed on your organization and that you have been assigned a Splunk username and password It also assumes that NFI and the App have been set up and configured Contact your system administrators if they have not 1 Log onto Splunk Web using your Splunk username and password 2 Click on Splunk Home and click the NetFlow Analytics for Splunk App You will see the Overview page The Overview page presents a summary of your network You can customize any dashboard See Default Dashboard section 3 Use the Hosts Network Devices Services Security Events Other Traffic Statistics Cisco ASA Monitor Palo Alto Network dashboards for detailed investigation filtering and drill downs All dashboards in this App are based on Splunk Web Framework u
21. nsumers for each monitored subnet Make sure you have the following Rule enabled e 10011 Network Subnets Monitor Traffic by Autonomous Systems Settings Enable Traffic by Autonomous Systems Dashboard This dashboard reports traffic by all Autonomous Systems Make sure you have the following Rule enabled 10066 Traffic by Autonomous Systems Traffic by Host Pairs Settings Enable Traffic by Host Pairs Dashboard This dashboard shows top traffic conversations between host pairs Make sure you have the following Rule enabled in Network traffic and device monitoring Rule Set e 10064 Top Host Pairs Monitor Dashboards navigation overview The application navigation bar is displayed toward the top of the Ul and offers drop down menus splunk App NetFlow for Splunk by NetFlow Logic NetFlow Logic v Bandwidth by Hosts v Bandwidth by Network Devices v Services v Security Events v Supplemental Traffic Statistics v Search v Settings v Traffic Overview TCP Health GEO IP Monitor Device group Device Time Range Olx z olr PP de Traffic by Autonomous Systems Network Traffic by CBQoS Update Device list Dashboard overview Every dashboard has different filters at the top of the screen to enable further narrowing of the report For example the Traffic by Protocol and Port dashboard can be filtered by the device group device source IP mask destination IP mask protocol source port destination port source DSCP destination DSC
22. onancnnnnnnnanennnonnnanennnos 19 Interfaces Utilization GaASNDO ANG xrcsscahcntaccc becsseceteepssincepeseacseenesasSenniesed qenashebeayiswestqeeepeabeteaenstsanashebeeaanect 19 Watched Interfaces Utilization dashboard ooonnccnccccccncnnnccnnooncnnnnononnnnnonononnnnnononancnnnononanennnnnnnanennnoss 19 intertace Groups AaSMOO AN PAPA PU 5 00ZXEP P PeP A ne 20 e A 20 Service Response Time dashboard occccccccccccccnnnccnnncccnnnnonnconnnnnnnnnnnnncnnnnnnnonnnnnnnnnnnnnnnonnnnnennnnnnnnnnnans 20 Asset Access IMONILO ano desa iaaa 20 NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 1 SEC E VON Sienan a a ets cares Uh earhaees tater bee 21 Cyber Thread Statistics Cas ollo tase 21 DNS S cumty daba dc 22 supplemental TAE SA o 22 TEPIC AM AD aid 22 GEO NP Monitor dashboard meros cansados 22 Traffic by Autonomous Systems dashboard ccoooocccncccccocconcccnonnconnnononnnononononnnonononancnnnononanennnnnnnanennnoss 23 Trafic DY GEQO0S da DD e do O 23 Seac maashpo a Usmi a a 24 CISCO ASA MONIO raens o es e G 24 CISCO OVEM EW acrea a o AA 24 Cisco Top Bandwidth CORSUMEES sessen AA Ai ia 24 GISCO TOD DESTIN ATOMS nandana e rias 25 CISCO TOD VIOLINO S via O a N 25 ISCO TOD CONNECIO Sissi 25 Palo Alto NGTWONKS aia 25 Palo AllLOsINGIWOLKS OVENI W ca nai a a A A 25 Palo Alto Networks Top Bandwidth Consumers cccsceececcseeeeecseeeeeeeeeceeeeeeeeeseueeeesaeeeesseneesenaeess 25 Palo Allo Netw
23. orks Op Destinations errikoa a a a 26 Palo Alo NeliWorks TOD VIGIAIONS iissa a A a a aa 26 Palo Alto Networks Top Connectors cccccseeccececeeeseeeeecaeeseceeecaeuececsceaaececessaaeeeeessaaaeeeeessaaeeeeessaaass 26 TOD AD CICANONS eria caia 26 TOP AppliGaions and Users iii aio iia li iba edad ld elo ceitliada diciendo 26 IU COS ioiii o a ate a bel eaten hota teed laa a etal este a aa aal 27 Feo ae S eee A ate Sosa k Suede meaner 27 cn nee ten ert eae er a ee RT ere 27 NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 2 Introduction Overview NetFlow Analytics for Splunk App is designed to deliver next generation real time network resource management power to network and security analysts NetFlow Integrator NFI is a middleware that processes massive amount of flows to stream summarized and meaningful CIM Common Information Model compliant syslog events into Splunk Enterprise and optionally all original flow records to Hunk The events are available for immediate indexing and correlation NetFlow for Splunk App App provides visualization and reporting capabilities The operators benefit from detailed visibility to their entire network and being able to address many IT use cases including bandwidth monitoring capacity planning congestion troubleshooting and cyber security using threat intelligence lists The App also includes Cisco ASA and Palo Alto Network firewall flow data dash
24. orts network device interfaces and traffic and packet rate details Traffic by Destination IP dashboard The Traffic by Destination IP dashboard a k a Top Listeners monitors host which receive most traffic in your network As Traffic by Source IP it is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic soeed and volume as well as packet rate and connections received by each host Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Traffic by Destination IP M 154 35 175 201 undernetrethembosting net MA 170 178 191 18 NAME_NOT_FOUND M 199 45 8 130 sfo ucs0l vtg vmc enet interop net E 199 45 8 174 NAME_NOT_FOUND M 199 458 253 NAME_NOT_FOUND MA 199 458 254 NAME_NOT_FOUND a 5 101 140 198 no rdns yet ukservers com A 72 165 86 42 smtp sciencelogic com 12 Destination Host Device Average Traffic Rate Total Traffic Traffic Line Average Packet Rate Total Packets 4 NAME_NOT_FOUN 199 45 8 46 1 74 Mbps 1 4 391 51 Kbps 169 61 MB PLA 37 pps 131 072 99 45 846 j ps 122 5101 140 198 ers com 199 45 8 46 310 87 Kbps 134 67 MB PER EPA ER 29 pps 102 400 7 102 400 199 41 96 pps 348 160 39 45 8 46 199 45 8 45 NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 14 The Traffic by Destination IP dashboard allows viewing listener traffic detai
25. ow Analytics for Splunk App User Manual NetFlow Logic Confidential 5 The first time you run the app from the web UI you will be presented with a setup screen Administrator Messages Settings Activity Help netflow Let s Get Started Welcome to the Splunk App by NetFlow Logic If you need to alter the index please follow these steps Create directory SSPLUNK_ROOT etc apps netflow local if it doesnt exist Create file SSPLUNK_ROOT etc apps netflow local macros conf with following lines N netflow_index definition index your_index sourcetype flowintegrator 3 Save SSPLUNK_ROOT etc apps netflow local macros conf and restart Splunk to changes take effect You can setup this app by following the steps below Once you have reviewed the setup steps click on the Enable button Step 1 This App relies on NetFlow Integrator software To download a free trial of NetFlow Integrator please visit https www netflowlogic com downloads Step 2 Get more value out of NetFlow by enabling additional inline analytics in NetFlow Integrator and enabling the corresponding Splunk App panels under Settings gt Configuration Ready to continue or already have NetFlow Integrator software installed Click on the Enable button below questions or need assistance We are here to help If you need to alter the index please follow these steps a Create directory SPLUNK_ROOT etc apps netflow local if it doesn t exist b C
26. raffic by Host Pairs dashboard contains a timeline panel showing top 10 host pairs traffic by volume and the table showing top 100 host pairs with details such as traffic volume and speed packet rate and connections count NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 15 Traffic by Host Pairs Device group Device All devices or Top 10 Host Pairs M 154 35 175 201 undern 2 70 NAME_NOT_FOUNDI MA 170 178 191 18 NAME_ 2 70 MAME_NOT_FOUND hp hstf terop net 8 no rdns 2 70 NAME_NOT_FOUND me 8 25 NAME_NOT_POUND so 25 182 255 lircuan 0 2 70 NAME_NOT_FOUND E 95 69 246 66 ip 95 69 246 __sfo inrO enet interop ne DD 95 69 246 66 ip 95 69 246 __sfo vcO enet interop me nv Average Packet Rate Total Packets Average Packet Rate Total Packets Inbound Outbound 0 ppsi0 212 pps 768 000 2 39 Kbps 1 03 MB 3 30 pps 106 496 577 Kbps 2 50 MB undernet rethemhosting net 19945846 199 FOUND 3389 tcp ms wh 95 69 246 66 ip 95 69 246 66 airbres net ua 199 45 8 46 5 FOUND O udp other 170 178 191 18 NAME_NOT_FOUND 199 45 8 46 199 458 214 vmw sto a 19945846 19945 NAME_NOT_FOUND 161 udp snmp 72 165 86 smtp sciencelogic com 7 63 Knosi7 MB 11371 Kbps 49 26 MB 19945846 450 270 NAME_NOT_FOUND O udp other 5 101 140 198 nordns yet ukservers com 0 bps 0 Bytes 113 34 Kbps 49 10 MB 19945846 45 0270 NAME_NOT_FOUND 94 1 25 162 255 ircu atw nu 0 bps
27. reate file PLUNK_ROOT etc apps netflow local macros conf with following lines netflow index definition index your index sourcetype flowintegrator c Save SPLUNK_ROOT etc apps netflow local macros conf and restart Splunk to changes take effect You can setup this app by following the steps below Once you have reviewed the setup steps click on the Enable button Step 1 This App relies on NetFlow Integrator software To download a free trial of NetFlow Integrator please visit https www netflowlogic com downloads NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 5 Step 2 Get more value out of NetFlow by enabling additional inline analytics in NetFlow Integrator and enabling the corresponding Splunk App panels under Settings gt Configuration splunk App NetFlow for Sptunk by NetFlow Logic NetFlow Logic v Bandwidth by Hosts v Bandwidth by Network Devices Services v Security Events v Suppiememal Traffic Statistics v Search v Senings v Configuration Step 2 Get more value out of NetFlow by enabling additional inline analytics in NetFlow Integrator and enabling the corresponding Splunk App panels below Place a checkbox for the selected panel and click on the Save button below Cyber Threat Dashboard Settings F Enable Cyber Threat Dashboard This dashboard shows cyber threat traffic based on Security Rule Set of NetFlow integrator Make sure you have the following Modules enabled e 10050
28. rks devices and allows to drill down to see users of each reported application Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 26 Resources FAQ What is the default UDP Data Input the app uses Once the app is installed the default Data Input 10514 is created with the index flowintegrator and the manual sourcetype flowintegrator How do setup the app to work with SNMP This application is automatically integrated with SNMP See SNMP Integration section on page 10 How do change the default index where NetFlow data is stored Once the app is installed the default index flowintegrator is created If you need to alter the index please follow these steps 1 Create directory SSPLUNK_ROOT etc apps netflow local if it doesn t exist 2 Create file SSPLUNK_ROOT etc apps netflow local macros conf with following lines netflow index definition index your index sourcetype flowintegrator Save SPLUNK_ROOT etc apps netflow local macros conf and restart Splunk to changes take effect Getting help NetFlow Logic provides many resources for help with the NetFlow Analytics for Splunk App NetFlow Analytics for Splunk App download https apps splunk com app 489 Technology Add on for NetFlow download httos splunkbase splunk com app 1838 NetFlow Logic Support https
29. s Create exporters devices csv file to map devices management IPs to exporter IPs and to groups devices see exporters devices csv sample where exp ip is 1P address of the dence s NetFlow exporter management_ip is the management IP address of the device the same as exp_ip if the dence doesnt have actual management IP device_group is the name of the group where the device belongs this held is optional input without quotes if the device shouldnt belong to any group https lab netflowlogec com B001 en US app netflow configuratson learkest 0 amp latest gt 2005 2015 Splunk Inc All rights reserved NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 6 Installing into a Distributed Splunk Environment If you have Splunk distributed environment Separate search heads indexers forwarders install both Technology Add on and NetFlow for Splunk App on Search Head Install Technology Add on on Indexers Search Head Indexers Forwarders wi NetFlow Integrator NFI Flow Data NetFlow IPFix sFlow flow data captured network search event data network events Install NetFlow Integrator and optional syslog ng or rsyslog with Universal Forwarder Configuring Indexers Make sure your Indexers are enabled to receive data from Universal Forwarder 1 Log into Splunk Web as admin on the Indexer that will be receiving data from a forwarder Click the Settings link at the top of the page Select For
30. shboard This dashboard shows geographical locations of monitored hosts and traffic statistics Make sure you have the following Module enabled 10040 Hosts Geographical Location Monitor Asset Access Monitor Settings Y Enable Asset Access Monitor Dashboard This dashboard shows traffic from unauthorized users to services IP address destination port protocol configured in the corresponding NFI Module Make sure you have the following Module enabled and configured e 10014 Asset Access Monitor TCP Health Settings F Enable TCP Heath Dashboard This dashboard shows top hosts with most TCP Resets Make sure you have the following Module enabled e 10060 TCP Heath Watched Interfaces 4 Enable Watched Interfaces Utilization Dashboard Create watched4mertaces csv file for the Watched interfaces Utilization dashboard see watched ntertaces csv sample where management_ip is the management IP address of the device if name is the name of the interface received from SNMP polling interface Groups F Enable imerface Groups Dashboard Create interface groups csv file for the imerface Groups dashboard Specify interface groups to view the aggregated traffic for grouped interfaces see interface groups csv sample where management_ip ts the management IP address of the device name is the name of the interface received from SNMP polling M_gr0up is the name of the group where the imerface belongs Devices Management IPs Device Group
31. sing simple XML Refer to http docs splunk com Documentation Splunk latest Viz W ebFramework for an overview of Dashboards and Visualization Default Dashboards When you install and enable the App several dashboards are available by default All these dashboards are based on data sent to Splunk by NFI Module 10067 Top Traffic Monitor They are NetFlow Logic gt Traffic Overview Bandwidth by Hosts gt Traffic by Source IP Bandwidth by Hosts gt Traffic by Destination IP Bandwidth by Hosts gt Traffic by Protocol and Port Bandwidth by Hosts gt Traffic by Protocol Bandwidth by Hosts gt Reports NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 11 Bandwidth by Network Devices gt Top Devices by Traffic Bandwidth by Network Devices gt Interface Utilization Search gt Traffic Timeline Settings You can get more value out of the App by enabling additional dashboards Go to Settings gt Configuration and place a checkbox for the selected dashboards Please make sure that the corresponding NFI Modules are enabled and configured Here are some of the dashboards you will be able to enable Traffic by CBQoS Settings Enable Traffic by CBQ0S Dashboard This dashboard shows traffic by Differentiated Service DSCP on your network Make sure you have the following Rule enabled e 10065 Traffic by CBQ0S Traffic by Subnets Settings Enable Traffic by Subnets Dashboard This dashboard reports top bandwidth co
32. st unauthorized connections ne Peers with most unauthorized connections Top 10 peers with most unauthorized connections for s gt ith ed connections from 10 0 5 252 10 05 2584 0 001 10 0 5 252 4 MM 10 0 5 253 12 12 48 12 42 12 1246 Tue Feb 20 Security Events Cyber Thread Statistics dashboard The Cyber Threat Statistics dashboard enables your organization to analyze and prioritize network security event traffic Using this dashboard you will be able to see geo location of top hosts network traffic to and from known suspicious hosts Out of the box we support geo county database from MaxMind and threat intelligence from Emerging Threats and Alienvault A corporation can also integrate its own watch list To see data in this dashboard enable Security Module Set 10040 10050 10052 10053 and install and setup the four utilities for each Module create the required data sets and add them to the NetFlow Integrator Modules Cyber Threat Statistics Siatistics provided for the last 24 hours APT 1 from Mandiant Botnet Command amp Control Emergingthreats net Malicious Hosts Alienvault Reputation it 39 Total Events Total Events 631 Total Events Events by Geo Events by Time 12 00 AM Mon Sep 22 NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 21 DNS Security dashboard To see data in this dashboard enable Module 10004 DNS Monitor Please refer to NetFlow Integrator Us
33. stination IP e Connections by Protocol and Port e Connections by Protocol These dashboards contain graphs and table with traffic details similar to corresponding Traffic dashboards Bandwidth by Network Devices In comparison to Host dashboards which are host centric the Network devices dashboards are device routers firewalls VLAN s centric tracking the ingress and egress traffic Top Devices by Traffic dashboard The Top Devices by Traffic dashboard monitors network devices with most traffic in your network It is useful for real time or historical network utilization and bandwidth monitoring The dashboard shows traffic speed and volume as well as packet rate traversing each network device Use the filtering options and time picker at the top of the dashboard to select the time interval and narrow down your search results Top Devices by Traffic Device group Device Top 10 Devices E 10 0 5 110 3 25 HA 10 0 5 21 GWO02 nfclab 10 0 5 22 E 10 0 5 24 HP 2620 48 The Top Devices by Traffic dashboard allows viewing network traffic details just click on one of the devices and drill down panel opens below showing traffic composition by each interface Further drilldown shows traffic speed statistics Min Max Average Standard Deviation 95 Percentile and hosts communicating over the selected interface NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 18 Top Devices by Packet Rat
34. tration Under Settings you may find additional information about various options and configuration of the App Devices and SNMP polling List of Devices List of devices feature is introduced to improve performance of the App Every 30 minutes a job runs to create a summary index flowintegrator_exp_ips which is used to populate Device IP drop down on various dashboards in the App SNMP Integration NetFlow records contain very limited information about network devices and interfaces This application takes advantage of SNMP information provided by NFI special Module SNMP Information Monitor which poles the following information from network devices device name name of interfaces and their speed Once this information is obtained by polling network devices of utilization of interfaces is computed and displayed to the users on the application dashboards Make sure that NFI SNMP Information Monitor Module is enabled Configuration This screen allows you to enable additional dashboards in the App and contains description of NFI Modules that need to be enabled to feed data to corresponding dashboards Configuring Hunk 6 2 1 In Hunk Web select Manager gt Virtual Indexes in the menu bar 2 Click the Provider tab if it is not already selected and click New Provider 3 Fill in the following fields Name any string Java Home usr lib jvm jre 1 7 0 Hadoop Home opt Hadoop Hadoop Version Hadoop 2 x Yar
35. warding and receiving in the Data area Click Add new in the Receive data section Specify which TCP port you want the receiver to listen on Default value is 9997 Click Save You must restart the instance to complete the process DA a NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential Configuring Universal Forwarders with NFI Configure Universal Forwarder Output Target Indexers During the installation of the Universal Forwarders a Receiving Indexer can be configured as it can be seen here H UniversalForwarder Setup splunk If you intend to use a Splunk receiving indexer to configure this UniversalForwarder please specify the host or IP and port default port is 9997 This is an optional step However UniversalForwarder needs either a deployment server or receiving indexer in order to do anything Receiving Indexer Hostname or IP 110 1 0 100 9997 Enter the hostname or IP of your receiving indexer default is 9997 e g ds solunk com ies lt is an optional step during the installation If it was not configured or if load balancing is required additional Receiving Indexers can be added later by adding to the SPLUNK_HOME etc system local outputs conf file Cancel tcpout defaultGroup default autolb group tcpout default autolb group server 10 1 0 100 9997 10 1 0 101 9997 Restart Splunk Universal Forwarder With a setup like this load balancing is configur
Download Pdf Manuals
Related Search