NetFlow: netflow9_definitions_Path

I’m trying to configure custom NetFlowV9 definitions via a *.yml file.

Is there a specific format for the “netflow9_definitions_Path” ?

definitions

Anytime I edit the empty text box on the NetFlow UDP input I receive a red error banner across the bottom of the page (http server error/500?)

If I leave the “netflow9_definitions_Path” empty everything works as is should, with the exception: I would prefer custom names for some of the fields.

Where is Graylog’s default “netflow9.yml” file?
How do I input a path correctly using the edit input page?

I’m using: Graylog 3.3.8+e223f85 on graylog (Private Build 1.8.0_275 on Linux 5.4.0-53-generic)

Hello,

AFAIK this is the default NetFlow yml file: https://github.com/Graylog2/graylog2-server/blob/master/graylog2-server/src/main/resources/netflow9.yml
I messed with this once a long time ago so I’m not sure if anything changed but using that as a start point worked as far as I remember, I ended up doing a lot of extra processing in pipelines anyway and discarding most of my work there.

Thanks. I’ve found that file too in the Graylog github source but where does the file live on the OS and how do we point to a custom netflow9.yml in the “Edit Inputs”?

Upload the edited version of that file to the Graylog server, somewhere where Graylog can read it (/usr/share/graylog-server is probably the logical destination). Make sure the file is owned by the graylog user and it should work (if you upload it the example directory I gave you should put /usr/share/graylog-server/netflow9.yml into the “Netflow 9 field definitions” box).

If it still doesn’t work check the Graylog log for the error.

1 Like

This worked and I no longer get any errors. Thanks for the assistance.

However, new problems have arisen.

In my netflow9.yml file (for example) I have:

8:
- :ip4_addr
- :src_addr

but it is generating the field:
image

Problem #1:
Graylog is prepending all the NetFlow field with nf_.

Is there a way to remove the prepending?

Problem #2:
The message field is generated using “null” values.
image

This is because it is built using the nf_dst & nf_src fields.
The nf_dst & nf_src fields are built expecting specific field names:
image
Reference: https://github.com/Graylog2/graylog2-server/blob/f35df42e165ac570b8b27de3f8eeac85e74ed610/graylog2-server/src/main/java/org/graylog/plugins/netflow/flows/NetFlowFormatter.java

I have renamed those fields, so the expected fields no longer exist and the “null” values are used.

Is there anything I can do about this or should I be looking at creating pipeline rules to rename fields instead of editing the netflow9.yml?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.