ことの始まり
NetFlowがNw界隈では流行っているらしいので、Splunkに取り込む事例も多いらしい。NetFlowの勉強がてらSplunkに取り込んでみてみることにしました。
今回はSplunk Add-on for NetFlowを使ってみます。Linuxプラットフォームしかサポートしておらず、しかも7.xがサポート入っていないけど、まぁ、SplunkのApp/Add-onですからね。動けばいいんです。
ネットワーク機器は、ヤフオクで5000円程度で購入できるCisco892を選定しました。
設定
TAを入れたあとに、configure.shを実行します。インタラクティブな流れで設定を終えるとindexes.confとinputs.confがlocal配下にできあがります。設定反映のために、splunkdの再起動が必要です。
splunk@ubu1804:~/etc/apps/Splunk_TA_flowfix$ ls -l total 80 drwxr-xr-x 3 splunk splunk 4096 Sep 26 06:14 appserver drwxr-xr-x 7 splunk splunk 4096 Sep 26 06:14 bin -rwxr-xr-x 1 splunk splunk 8829 Sep 26 06:14 configure.sh drwxr-xr-x 2 splunk splunk 4096 Sep 26 06:14 default -rw-r--r-- 1 splunk splunk 19031 Sep 26 06:14 license-eula.rtf -rw-r--r-- 1 splunk splunk 18526 Sep 26 06:14 license-eula.txt drwxr-xr-x 2 splunk splunk 4096 Sep 26 06:14 lookups drwxr-xr-x 2 splunk splunk 4096 Sep 26 06:14 metadata -rw-r--r-- 1 splunk splunk 864 Sep 26 06:14 README.txt drwxr-xr-x 2 splunk splunk 4096 Sep 26 06:14 samples splunk@ubu1804:~/etc/apps/Splunk_TA_flowfix$ ./configure.sh TA-FlowFIX v0.8 Please send comments or suggestions to beaker@splunk.com/n This script will configure TA-FlowFIX on this system. Run this in the root of TA-flowfix on the system (as a user with "owner"/write privileges) that will listen for Netflow or IPFIX streams. You will need either a full Splunk installation or the Splunk Forwarder present. There are two modes of installation. One is for a system running this Netflow/IPFIX receiver and using a Splunk Forwarder to send events to a Splunk Indexer. The other is for a stand alone Splunk instance, where only the eventtype transforms and tagging definitions are added. A separate index will be created. Which type of installation will you be performing: (1) Netflow or IPFIX receiver/listener (2) "netflow" eventtype parser only Selection: 1 1 selected... let's do this. Systems currently supported for Netflow/IPFIX listening are: (*) Linux (64 bit) (*) Linux (32 bit) (*) FreeBSD (64 bit) If you already have a flowfix.sh in bin and inputs.conf/indexes.conf in default, this WILL OVERWRITE them. CONTINUE [Y/n]: Y Continuing... Full path location for this TA [ /opt/splunk/etc/apps/Splunk_TA_flowfix ]: # of days to keep ascii flow logs [ Default: 3 ]: Name of Splunk index to use [ Default: netflow ]: How many listeners would you like to install on this system? [1]: Listener #1 Netflow [v5], [v7], [v9] or [IPFIX] [ Default: v5 ]: v9 Specify IPv4 or IPv6 address to bind to listener [ Default: all ]: UDP port to listen on: 2055 # of seconds to rollover flow capture files for indexing [ Default: 120 ]: Setup is complete! You will need to restart Splunk to enable changes. splunk@ubu1804:~/etc/apps/Splunk_TA_flowfix$ cd local splunk@ubu1804:~/etc/apps/Splunk_TA_flowfix/local$ ls indexes.conf inputs.conf splunk@ubu1804:~/etc/apps/Splunk_TA_flowfix/local$ cat inputs.conf [monitor:///opt/splunk/etc/apps/Splunk_TA_flowfix/nfdump-ascii] index = netflow sourcetype = netflow disabled = false [script:///opt/splunk/etc/apps/Splunk_TA_flowfix/bin/flowfix.sh] index = netflow interval = 60 sourcetype = netflow splunk@ubu1804:~/etc/apps/Splunk_TA_flowfix/local$ cat indexes.conf [netflow] homePath = $SPLUNK_DB/netflow/db coldPath = $SPLUNK_DB/netflow/colddb thawedPath = $SPLUNK_DB/netflow/thaweddb
ちなみに、Netflowの待ち受けポートはsplunkdではなく、tfdumpが掴んでいるので、Splunk側に設定する必要はありません。というか競合するので設定してはだめですね。
このtfdumpに依存した作りが、Windowsプラットフォームでは動かない理由のようです。
このtfdumpに依存した作りが、Windowsプラットフォームでは動かない理由のようです。
Cisco892のConfigはこんな感じ。久しぶりに触るのでお作法Configをほぼ忘れていますがあしからず。
NETFLOW-R1#show run Building configuration... Current configuration : 2480 bytes ! ! Last configuration change at 16:58:28 JST Wed Sep 26 2018 ! NVRAM config last updated at 16:58:29 JST Wed Sep 26 2018 ! version 15.8 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption ! hostname NETFLOW-R1 ! boot-start-marker boot-end-marker ! enable secret hogehoge ! no aaa new-model memory-size iomem 15 clock timezone JST 9 0 ! ip dhcp pool test network 192.168.100.0 255.255.255.0 default-router 192.168.100.1 dns-server 8.8.8.8 ! no ip domain lookup ip domain name corp.local ip cef no ipv6 cef ! flow exporter EXPORT-1 destination 192.168.100.3 source GigabitEthernet0 transport udp 2055 ! flow monitor MONITOR-1 exporter EXPORT-1 cache timeout active 60 cache entries 65536 record netflow ipv4 original-input ! multilink bundle-name authenticated ! username admin secret hogehoge ! redundancy ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 no ip address ! interface FastEthernet7 no ip address ! interface FastEthernet8 ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0 ip address 192.168.100.1 255.255.255.0 ip flow monitor MONITOR-1 input ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface Vlan1 no ip address ! ip forward-protocol nd no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet8 overload ip route 0.0.0.0 0.0.0.0 dhcp ip ssh version 2 ! ipv6 ioam timestamp ! access-list 1 permit 192.168.100.0 0.0.0.255 ! control-plane ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! vstack ! line con 0 line aux 0 line vty 0 4 login local transport input ssh line vty 5 15 login local transport input ssh ! scheduler max-task-time 5000 ntp server 133.243.238.244 ! end
出来上がり
通信の向きをどう判別させるんでしょうね。
まぁ、いずれにせよSplunkにデータさえ入ってくれれば自由にダッシュボードが作れるわけですから、高価なコレクター製品を買わなくてもよいと思います。
今回から引用方法を変えてみましたが、意図しないカラフルさが演出されてますね。もうちょっと落ち着いたものを探したいです。
