We have an ELK Stack running that gathers data and processes it to the point where end users can visualize the data.
Right now we're dealing with Syslogs and Netflow, but are experiencing some issues with netflow. We currently have netflow version 5 configured to be sent to a remote server on udp port 2222 and it works fine.
As you might know version 5 is quite old and doesn't offer as much as version 9 so we decided to configure our device to send over netflow v9. Nothing comes in!
What could be causing this? Version 5 works fine, but we can not receive version 9 netflow.
family inet {
output {
flow-server **.**.**.** {
port 2222;
version9 {
template {
ELK;
}
}
}
services {
flow-monitoring {
version9 {
template ELK {
ipv4-template;
}
}
}
}
Best Answer
You've got two out of the three necessary sections listed, and they look OK. There's a third section needed "forwarding-options" that tells the Juniper whether and how to sample packets to generate flow (something you didn't need for v5). You're also going to need to tell the Juniper which interfaces to monitor flow on. The command to monitor ingress packets will look something like this:
I wrote a blog post a while back that goes through setting up NetFlow v9 (technically, J-Flow) on Juniper SRX here, which I think you'll find useful.
One other thing to mention: I've seen issues in the past where routers won't actually send flow records to multiple sources. If the v5 stream is still active, I'd try turning that off to see if the v9 picks up.
(Edited to add: it's also always worth spending time checking firewalls and connectivity before doing any kind of serious heavy lifting. You've probably already done that, but it never hurts to bring that up...)