Setup Netflow Record integration

[nomadicnerd42]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32GB

Storage for /

300GB

Storage for /nsm

2T

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hi everyone!

I am still new to setting up Elastic Fleet, so apologies if this is a simple question.
My Grid consists of 4 nodes (a Manager, a Search Node, a Fleet Server hosted in my DMZ, and a Forward Node; each exceed the minimum requirements).

I am trying to setup an Integration to collect Netflow logs from a few network devices. As of right now, I have modified the "FleetServer-$ManagerName" agent policy in Fleet (where $ManagerName is the name of the Manager Node) to add a Netflow integration with default settings, except the UDP listening host is set to "0.0.0.0", and the UDP listening port is 2055.

My understanding (based on consulting the documentation) is that if an integration receives logs from another device, then the integration should be added to the appropriate "FleetServer..." policy. Ideally, since the devices that would be sending netflow logs to SO are on my internal network, I'd prefer to send them to the Fleet Server running on the Manager, instead of having to traverse the DMZ.

After force-synchronizing the Grid (and waiting an hour), I used nmap to double-check to see if the port (2055/UDP) is open on the Manager, and it was not. I used this nmap command:
'''sudo nmap -sU -p 0-3000 $IPofManager '''

I also took a look in /opt/so/logs/elasticfleet, and in the most recent logfile, I searched for any failures/errors, and came up with a few results (that are included in the attached .txt file), in case those help to give more clues about what might be going on.

Does anyone happen to know what I may have done wrong, or have any recommendations/guidance on how to get the integration working correctly and opening the appropriate port on the Manager?

Also, attached is the full output of the Elastic Fleet/Agent output file for today, in case it would be helpful. Bear in mind that it is quite long.

Thank you in advance!

Full_Ouput_elastic-agent-20240220.txt

ElasticFleet_Troubleshooting_Output.txt

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[TotieBash]

You need to open firewall. Use this pfsense instruction for reference. Change the port to Netflow port 2055.
https://docs.securityonion.net/en/2.4/pfsense.html#elastic-integration-for-pfsense

I use SO Standalone so my firewall path is below:
Firewall > role > standalone > chain > INPUT > hostgroups > customhostgroup0 > portgroups

Use #12055 #12245 also for reference.
When you finish can you issue the following command on the SO manager. Take a screenshot and send it here.

1. "ss -tulpn | grep 2055" # This will show if your system is listening on udp:2055
2. "iptables --list -n | grep 2055" # This will show if iptables is open for udp:2055

[nomadicnerd42]

@TotieBash , thanks for the tips!

Yesterday evening, I followed the instructions for the pfSense integration, but modified it as appropriate for netflow. (The agent policy was applied to "FleetServer_$ManagerName"). After deploying that policy, I re-synced the grid, and even then, it looked like iptables was letting the port through, but the system was not listening on UDP/2055.

Earlier today, I took another look at the agent policies, and applied the same integration to "so-grid-nodes_general", re-synced the grid, and it now looks like the system is both listening on UDP/2055, and iptables is permitting traffic through UDP/2055 as well.

I will give this all a try tomorrow on the prod server, and update you all.

Thanks again!

[TotieBash]

happy to hear that the info is helping... The only other thing I do is use tcpdump to make sure they are all coming in. For example, like you, I also initially permitted 10.0.0.0/8 for my Cisco_ios logs on port 9002. However after looking at tcpdump I realize the source-ip that cisco was using was a loopback ip which is a 172.16.10.0/24 ip address. What I am saying is, tcpdump is handy to verify that the packets are coming in the wire.. I now I change my firewll port to permit 0.0.0.0/0 for udp:9002 to cover everything. I use the following tcpdump syntax, with ens192 as my management interface.

tcpcump -i ens192 -nnA port 2055

[nomadicnerd42]

Just circling back to update everyone; the instructions that TotieBash gave worked well. I can now see netflow logs in Elastic. Closing this post now.