Netflow from Fortigate


(Decard Shaw) #1

Hi guys !
I have - Graylog 2.4.5+8e18e6a with netflow input, and send netflow from Fortinet 60D to it.
Plugin doesn’t work correctly, because i have message in suspicious format :

Summary

2018-07-19 13:35:20.000 172.27.99.1
NetFlowV9 [68.0.0.0]:443 <> [0.12.68.64]:62215 proto:17 pkts:2 bytes:2756
2018-07-19 13:35:20.000 172.20.99.1
NetFlowV9 [68.0.0.63]:53 <> [67.12.4.64]:27660 proto:17 pkts:1 bytes:80
2018-07-19 13:35:20.000 172.27.99.1
NetFlowV9 [68.0.0.158]:60937 <> [120.12.85.64]:443 proto:6 pkts:0 bytes:0
2018-07-19 13:35:20.000 172.20.99.1
NetFlowV9 [68.0.0.70]:64789 <> [203.12.12.64]:8085 proto:6 pkts:6 bytes:1526
2018-07-19 13:35:20.000 172.27.99.1
NetFlowV9 [68.0.0.0]:443 <> [0.12.76.64]:45450 proto:6 pkts:2 bytes:112
2018-07-19 13:35:20.000 172.27.99.1
NetFlowV9 [68.0.0.0]:56534 <> [0.12.68.64]:443 proto:17 pkts:2 bytes:1445
2018-07-19 13:35:20.000 172.27.99.1
NetFlowV9 [68.0.0.0]:56083 <> [0.14.4.195]:53 proto:17 pkts:0 bytes:0
2018-07-19 13:35:20.000 172.20.99.1
NetFlowV9 [68.0.0.63]:56870 <> [67.12.4.64]:53 proto:17 pkts:2 bytes:122
2018-07-19 13:35:19.000 172.20.99.1
NetFlowV9 [68.0.0.0]:10050 <> [0.12.12.64]:51478 proto:6 pkts:4 bytes:240

IPs fields dont extract correctly…
Thanks !


(Jochen) #2

Please create a bug report at https://github.com/Graylog2/graylog2-server/issues and include some captured Netflow traffic from your Fortinet device as pcap file.

You can capture the packets with Wireshark or tcpdump.


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.