Splunk NetFlow Support : Vendor Comparison

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Splunk NetFlow Support : Vendor Comparison

You are in luck because you have several options to get Splunk NetFlow support.  I know of three however, there are probably more. This post will list them all and discuss the benefits of each.


splunk netflow support

3) NFDUMP: This add-on allows a Splunk software administrator to receive and convert IPFIX flow information from compatible network gear. You can analyze the packet capture data directly or use it as a contextual data feed to correlate with other vulnerability related data in the Splunk platform.  Get ready to manually load templates (e.g. Citrix Netscaler) for the approriate vendors else incoming flows will look like garbage. You may need to load apps for different vendors. Scaling up the solution with multiple vendors and tens of thousands or hundreds of thousands of flows per second could be an issue.  Also I found no information about cross template reporting and is very important with advanced NetFlow and IPFIX exports like Cisco NBAR (AVC).  


2) Flow Logic’s NetFlow Integrator: With this solution, you must send the flows to NetFlow Integrator (NFI) first which will preprocess the flows for splunk. The good news is that it lightens the load on the splunk server.  The splunk/NFI integration process is well documented but, remember, you never have all of the data when viewing it in splunk which can make forensic investigations difficult. They offer a 30 day trial as does the vendor below.


1) Plixer’s Scrutinizer: Similar to NFI, summarized informaton is placed into splunk as shown on the image above. However, when the user wants to gain access to 100% of the data and take advantage of powerful filtering with boolean expressions, Scrutinizer is the enterprise NetFlow and IPFIX system for splunk.  Convenience links are placed in the splunk NetFlow dashboard to get back to all of the data on the Scrutinizer server.  The distributed nature of the Scrutinizer architecture combined with the central interface for graphical representation of the data is first rate.  The Splunk NetFlow integration is documented in both blogs and on YouTube.  Contact the vendor for a more integrated solution.

There are several reasons you want to keep the majority of the flow data out of splunk and in a system that is optimized for flows:

I) Performance: Flow data is chatty and 20,000 flows per second is easy to achieve on medium sized networks. Since flow volumes tend to grow, an architecture that can handle over 100K flows per second per appliance could become important. Pushing all of this data to a splunk cluster could crush it.

II) Forensics: 3rd party solutions tend to focus more on what is possible with NetFlow and IPFIX.  They offer richer reporting options and greater support for unique vendor exports.  The filtering also tends to be much more powerful.

III) Support: A vendor focusing on NetFlow and IPFIX tends to provide better support.  From what I’ve seen, these add ons also offer an easier setup and configuration process.

I hope the above helps you with your decision. 


Feedback for Splunk NetFlow Support : Vendor Comparison

Leave a comment

Featured Events