EventSentry can parse the following flow protocols:
•NetFlow v1
•NetFlow v5
•NetFlow v9
•IPFIX
•sFlow
NetFlow monitoring supports the following functionality:
•Visualization, including geolocation, of all network communication sent through NetFlow
•Real-time alerts for traffic to/from certain IP ranges, countries, states, cities, zip codes or city
•Correlation with network logon data to associate network traffic with user names (requires monitoring workstations with EventSentry)
NetFlow is a separately licensed component which requires a NetFlow license. NetFlow functionality is available during an evaluation (where NetFlow functionality is automatically enabled ) or when at least one NetFlow license is installed. |
To activate the NetFlow collector, check the Enable NetFlow Collector check box on the "General" tab and configure either the database or event log feature. The default NetFlow port is 2055, the default sFlow port is 6343. Both can be changed to another port if necessary. After enabling the NetfFlow Collector, you can configure your NetFlow devices to forward data to the EventSentry server on the configured NetFlow ports.
Aggregate Flows
To conserve disk space in the database, the NetFlow collector can group multiple flows which are received in close succession of each other. Individual packet details may be lost when this option is activated, but database space is significantly reduced.
Calculate Bandwidth
Determines the bandwidth usage of an interface and offers additional metrics compared to traditional SNMP-based bandwidth monitoring. The bandwidth interval determines how often bandwidth statistics are stored in the database.
•Utilization (in %)
•Bytes
•Packets
•Bytes per Packet
Utilization
Calculating the utilization of an interface requires that the NetFlow component knows the maximum speed of an interface, which it tries to determine automatically via SNMP. The maximum speed of an interface can also be specified using variables if the interface speed cannot be determined, or if the maximum speed of the interface does not reflect the actual available bandwidth (e.g. a router has a 1Gb interface but only 100MBit available). Speeds are set in MBit.
Bandwidth utilization that is less than 0.0001% will always be logged as 0.0001%. If the bandwidth utilization cannot be calculated then a 0% utilization will be logged. |
The following variables are supported:
•NFSPEED
•NFSPEED[INTERFACENAME]
In order to set a variable, the NetFlow exporter needs to first be added to a group in the management console, and required SNMP authentication credentials need to be set. Once access to the NetFlow exporter is confirmed (Groups -> Check Status), a variable can be assigned by selecting the NetFlow exporter and clicking "Set Variables" in the ribbon.
The device sending NetFlow data will need to be added to a group in the management console before a variable can be assigned to it. The IP address of the device should be added if reverse lookup is not available in DNS. |
To add a new variable, click the Add button and specify both a variable name and value. If the speed is set via the NFSPEED variable, then the configured speed will be applied to any interface on the NetFlow exporter. To set the speed for a specific interface, the interface needs to be appended to the variable name. E.g., to set the maximum available bandwidth of the eth0 interface to 100MBit, the NFSPEEDETH0 variable can be set to 100. Interface names are usually displayed on the host inventory page in the web reports.
Assigning a custom interface speed
The NetFlow component will log the following events under the Network Services event source during start-up to confirm which interface speeds will be effective:
1005: The interface speed was determined via SNMP
1006: The interface speed was determined via a variable
1007: The interface could not be determined via SNMP and was not set with a variable, bandwidth utilization cannot be calculated at this time
Bytes
Stores the number of bytes that were sent and received by the interface during the collection interval.
Packets
Stores the number of packets that were sent and received by the interface during the collection interval.
Bytes per Packet
Calculates the average packet size during the collection interval.
Monitoring the average packet size can be useful to identify unusual activity on a network, e.g. if the average size is unusually high or low. |
Authorized IP Addresses / Networks
For enhanced security you will have to specify from which hosts the NetFlow collector will accept packets. Host names are not allowed in this list, only IP addresses may be specified; the CIDR notation is supported.