NetFlow Monitoring Configuration

Applies to Product: USM Appliance™ AlienVault OSSIM®

Many external NetFlow sources (such as routers and switches) have NetFlow capabilities already defined in their operating firmware and usually require only some minimal configuration to enable it. NetFlow collection is entirely dependent upon having visibility to traffic traversing the network, which means the routers and switches that traffic flows over. There are two ways to acquire this, with both options supported by AlienVaultUSM Appliance:

  • Method 1: A network device is configured with a SPAN/Mirror port to clone all traffic to a single port, which is attached to an existing USM Appliance Sensor. The USM Appliance Sensor, connected to the SPAN port, generates NetFlow data from the observed network traffic.
  • Method 2: Network devices are configured to generate NetFlow data, and then transmit it directly to USM Appliance Server (through a pseudo or "dummy" configured USM Appliance sensor). NetFlow data is sent from the NetFlow source to the dummy sensor, which transmits the NetFlow data to the USM Appliance Server.
  • After configuring the USM Appliance sensor, configure network devices to send NetFlow data to the USM Appliance dummy sensor. Use the same port to send NetFlow data as configured for the dummy sensor. This task is vendor-specific. Consult your network device vendor documentation for instructions on how to configure NetFlow on a network device.

These two options are not mutually exclusive, so USM Appliance deployments can incorporate both methods of NetFlow data collection and generation.

Important: Be aware that when you enable NetFlow collection in USM Appliance, the flow data is kept in the file system consuming space. By default, USM Appliance stores flows for 45 days in /var/cache/nfdump/flows. For more information, see Back Up and Restore NetFlow Data