These docs are for Cribl Edge 4.10 and are no longer actively maintained.
See the latest version (4.13).
NetFlow Destination
Cribl Edge supports passing through NetFlow v5 and v9 UDP traffic to NetFlow Collectors.
Type: Non-Streaming | TLS Support: No | PQ Support: Yes
Configurie Cribl Edge to Output to NetFlow
- On the top bar, select Products, and then select Cribl Edge. Under Fleets, select a Fleet. Next, you have two options:
- To configure via QuickConnect, navigate to Routing > QuickConnect (Stream) or Collect (Edge). Select Add Destination and select the Destination you want from the list, choosing either Select Existing or Add New.
- To configure via the Routes, select Data > Destinations or More > Destinations (Edge). Select the Destination you want. Next, select Add Destination.
- In the New Destination modal, configure the following under General Settings:
- Output ID: Enter a unique name to identify this NetFlow definition. If you clone this Destination, Cribl Edge will add
-CLONEto the original Output ID. - Description: Optionally, enter a description.
- NetFlow Destinations: Add the downstream NetFlow Collectors to which Cribl Edge should send data.
- Address: Hostname or IP address of the Collector.
- Port: Port number to connect to on the Collector. Defaults to
2055, which is the standard port for NetFlow traffic.
- Output ID: Enter a unique name to identify this NetFlow definition. If you clone this Destination, Cribl Edge will add
- Next, you can configure the following Optional Settings:
- Tags: Optionally, add tags that you can use to filter and group Destinations on the Destinations page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
- Optionally, you can adjust the Processing and Advanced settings outlined in the sections below.
- Select Save, then Commit & Deploy.
Processing Settings
Post‑Processing
Pipeline: Pipeline or Pack to process data before sending the data out using this output.
Advanced Settings
DNS resolution period (sec): Re-resolve any hostnames after each interval of this many seconds, and pick up destinations from records. Defaults to 0 seconds. A value of 0 means every datagram sent will incur a DNS lookup. A non-zero value improves performance but can reduce the overall reliability if the DNS records for the downstream Collectors change frequently.
Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.
Internal Fields
Cribl Edge uses a set of internal fields to assist in forwarding data to a Destination.
Field for this Destination:
__netflowRaw: Directly routes the raw NetFlow packet data to a downstream NetFlow Collector.
Considerations for Working with NetFlow Data FlowSets
For both NetFlow v5 and v9, Cribl Edge:
- Can forwards NetFlow packets to other NetFlow Collectors. However, it cannot modify the the contents of the incoming packet. In other words, Cribl Edge forwards the packets verbatim as they came in.
- Only routes NetFlow packets from upstream Exporters and cannot generate its own NetFlow packets.
- Cannot send non-NetFlow input data to NetFlow Collectors.
Troubleshooting
The Destination’s configuration modal has helpful tabs for troubleshooting:
Live Data: Try capturing live data to see real-time events as they flow through the Destination. On the Live Data tab, click Start Capture to begin viewing real-time data.
Logs: Review and search the logs that provide detailed information about the delivery process, including any errors or warnings that may have occurred.
Test: Ensures that the Destination is correctly set up and reachable. Verify that sample events are sent correctly by clicking Run Test.
You can also view the Monitoring page that provides a comprehensive overview of data volume and rate, helping you identify delivery issues. Analyze the graphs showing events and bytes in/out over time.