A LogRhythm System Monitor Pro or Collector Agent can be used to collect NetFlow, IPFIX, and J-Flow traffic. Because Cisco NetFlow, IPFIX, and Juniper J-Flow share the same format per RFC-5101, J-Flow collection can be achieved by using the NetFlow settings.
LogRhythm supports the following versions:
- NetFlow v5, v9
- J-Flow v5, v9
General Network Requirements for NetFlow or J-Flow Collection
The UDP port 5500 must be open from the remote system to the monitoring system.
NetFlow v9 Considerations
Using the Verbose Setting
NetFlow v9 packets may contain data record formats that require a template record to be parsed. To collect the additional raw fields available in NetFlow v9, you can enable the NetFlowVerbose check box in the System Monitor Advanced Properties which is OFF by default. However, enabling NetFlowVerbose may impact performance for search and view utilities such as Personal Dashboard, Tail, Investigate, and Log Miner.
Depending on the type of device and the NetFlow configuration, data records may be exported rapidly, but associated templates are exported at an interval between one minute and six hours - the default is 30 minutes. Although Cisco recommends that collectors keep the data records until the template is received, LogRhythm drops incoming flow data records until the template is received.
If you experience unusual or unacceptable slowdowns after enabling NetFlowVerbose, you may need to disable it.
NetFlow v9 is a self-describing format that uses template records to decode data records. NetFlow v9 exporters may be configured to send template records at intervals as long as 30 minutes. NetFlow v9 collectors, such as the System Monitor, cannot decode a data record until it has received the corresponding template. Therefore, there may be a delay until NetFlow v9 log messages begin to appear. If you wish to gain visibility into the NetFlow v9 listener, open the System Monitor Advanced Properties and set the LogLevel to Debug. In debug mode, the scsm.log file contains detailed information about the contents of NetFlow v9 packets as they are received.