Is there any way to have netflow v9 converted to syslog?
Which would be the best way to have the following idea working?
Procedure:
-
The router sends UDP with the following structure:
templateId=259: id=259, fields=11
field id=8 (ipv4 source address), offset=0, len=4
field id=225 (natInsideGlobalAddress), offset=4, len=4
field id=12 (ipv4 destination address), offset=8, len=4
field id=226 (natOutsideGlobalAddress), offset=12, len=4
field id=7 (transport source-port), offset=16, len=2
field id=227 (postNAPTSourceTransportPort), offset=18, len=2
field id=11 (transport destination-port), offset=20, len=2
field id=228 (postNAPTDestinationTransportPort), offset=22, len=2
field id=234 (ingressVRFID), offset=24, len=4
field id=4 (ip protocol), offset=28, len=1
field id=230 (natEvent), offset=29, len=1 -
Inside each UDP packet there is a file (Yes, a file inside each UDP packet) , also some important fields like timestamp and count(number of flowsets inside the packet)
-
Inside each flowset there are the ID, lenght, and then the flow sequence(using the template shown above).
The general idea is to have a binary (performance is a must , so probably a C binary, multithreaded ), which listens for the UDP traffic and sends the output as syslog to a server which will take care to write them on disk. (writing on disk may be done by the netflow converter itself if there is a way to read from the written logs).
Any idea on how to achive this?
Thanks.
marc
Best Answer
If I understand correctly, you're looking to monitor a NetFlow stream for sessions that match a particular template, and then send a pre-canned syslog event with the details? I'm not aware of any tool that does just that, but there are two possibilities that I am aware of:
Write your own. The big bottleneck is going to be the NetFlow parsing, but using an open source NetFlow library like flowd will be a big help there. That will take care of all the versioning information, and should provide a convenient data structure for forming your syslog message. This will be your best option performance-wise, because it won't be doing any other tasks.
Purchasing an off-the-shelf NetFlow collector with alerting functionality. The exact details of setting one up vary from product to product, but in general you'll be setting a strict filter and setting a threshold very low so that you'll get an alert (which is usually a syslog event) for each session. The overhead of the rest of the product will potentially cut into the speed, and commercial products will have a cost, but it will likely be easier to deploy. (full disclosure: I work at a company that sells a NetFlow collector)