Skip to main content
Skip table of contents

NetFlow, IPFIX, and J-Flow Collection

A LogRhythm System Monitor Pro or Collector Agent can be used to collect NetFlow, IPFIX, and J-Flow traffic. Because Cisco NetFlow, IPFIX, and Juniper J-Flow share the same format per RFC-5101, J-Flow collection can be achieved by using the NetFlow settings.

LogRhythm supports the following NetFlow versions:

  • NetFlow v1 and v5

  • NetFlow v9 (full support)

  • IPFIX/NetFlow v10 (limited support)

While IPFIX packets (NetFlow v10) are accepted, the implementation primarily supports NetFlow v9 templates within the IPFIX framework. Full IPFIX functionality including all enterprise-specific extensions may require additional configuration.

General Network Requirements for NetFlow or J-Flow Collection

The UDP port 5500 must be open from the remote system to the monitoring system.

NetFlow v9 Considerations

Using the Verbose Setting

NetFlow v9 packets may contain data record formats that require a template record to be parsed. To collect the additional raw fields available in NetFlow v9, you can enable the NetFlowVerbose check box in the System Monitor Advanced Properties which is OFF by default. However, enabling NetFlowVerbose may impact performance for search and view utilities such as Personal Dashboard, Tail, Investigate, and Log Miner.

Depending on the type of device and the NetFlow configuration, data records may be exported rapidly, but associated templates are exported at an interval between one minute and six hours - the default is 30 minutes. Although Cisco recommends that collectors keep the data records until the template is received, LogRhythm drops incoming flow data records until the template is received.

If you experience unusual or unacceptable slowdowns after enabling NetFlowVerbose, you may need to disable it.

Debug

NetFlow v9 is a self-describing format that uses template records to decode data records. NetFlow v9 exporters may be configured to send template records at intervals as long as 30 minutes. NetFlow v9 collectors, such as the System Monitor, cannot decode a data record until it has received the corresponding template. Therefore, there may be a delay until NetFlow v9 log messages begin to appear. If you wish to gain visibility into the NetFlow v9 listener, open the System Monitor Advanced Properties and set the LogLevel to Debug. In debug mode, the scsm.log file contains detailed information about the contents of NetFlow v9 packets as they are received.

NetFlow v10 Considerations

When IPFIX (NetFlow v10) packets are received:

  • The system processes them through the dedicated IPFIX processor;

  • NetFlow v9 compatible templates within IPFIX are extracted and used for parsing;

  • Enterprise-specific fields are processed if a matching schema file is available; and

  • Templates are stored in memory but may need to be re-transmitted after system restarts.

NetFlow v10 is only supported by LogRhythm in a limited capacity. If you are experiencing issues with v10 packets, we recommend switching to v9.

IPFIX Limitations and Best Practices

For best results with IPFIX sources, configure them to use NetFlow v9 compatible templates where possible. For vendor-specific IPFIX implementations, verify field compatibility using packet capture tools. Template records may be sent at intervals of up to 30 minutes to ensure proper data processing.

If experiencing issues with IPFIX sources, try configuring them to use standard NetFlow v9 when available.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close