On This Page

Home / Stream/ Integrations/ Destinations/NetFlow Destination

NetFlow Destination

The NetFlow Destination exclusively forwards NetFlow v5 and v9 UDP traffic to NetFlow collectors. The NetFlow Destination relies on the __netflowRaw field that is generated from a Cribl Stream NetFlow Source. The raw NetFlow packet data is sent directly to the configured NetFlow collector(s). Events without __netflowRaw are discarded.

Type: Non-Streaming | TLS Support: No | PQ Support: Yes

Requirements

  • Enable pass-through: The NetFlow Source must have Enable pass-through toggled on to generate events containing __netflowRaw.
  • Routing: Ensure only events with __netflowRaw are routed to the NetFlow Destination.

Raw Forwarding

For both NetFlow v5 and v9, Cribl Stream:

  • Can forward NetFlow packets to other NetFlow collectors. However, it cannot modify the contents of the incoming packet. In other words, Cribl Stream forwards the NetFlow/IPFIX export payload as it was received, without modification to the flow records themselves. The original transport headers are not preserved, so the packet is not an exact byte-for-byte copy of the original network packet.
  • Only routes NetFlow packets from upstream Exporters and cannot generate its own NetFlow packets.
  • Cannot send non-NetFlow input data to NetFlow collectors.

Beyond Raw Forwarding

While the NetFlow Destination relies solely on __netflowRaw, other fields such as srcAddr and packets generated by the NetFlow Source are used for:

  • Non-NetFlow Destinations: Providing structured, human-readable data for systems like Splunk or Amazon S3.
  • Analytics: Supporting filtering, enrichment, and aggregation within Cribl Stream.
  • Internal processing: Enabling Pipeline logic and routing decisions.
  • Validation: Assisting in debugging and verifying parsed NetFlow data.

Configure a NetFlow Destination

  1. On the top bar, select Products, and then select Cribl Stream. Under Worker Groups, select a Worker Group. Next, you have two options:
    • To configure via QuickConnect, navigate to Routing > QuickConnect (Stream) or Collect (Edge). Select Add Destination and select the Destination you want from the list, choosing either Select Existing or Add New.
    • To configure via the Routes, select Data > Destinations or More > Destinations (Edge). Select the Destination you want. Next, select Add Destination.
  2. In the New Destination modal, configure the following under General Settings:
    • Output ID: Enter a unique name to identify this NetFlow definition. If you clone this Destination, Cribl Stream will add -CLONE to the original Output ID.
    • Description: Optionally, enter a description.
    • NetFlow Destinations: Add the downstream NetFlow collectors to which Cribl Stream should send data.
      • Address: Hostname or IP address of the NetFlow collector.
      • Port: Port number to connect to on the NetFlow collector. Defaults to 2055, which is the standard port for NetFlow traffic.
  3. Next, you can configure the following Optional Settings:
    • Tags: Optionally, add tags that you can use to filter and group Destinations on the Destinations page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
  4. Optionally, you can adjust the Processing and Advanced settings outlined in the sections below.
  5. Select Save, then Commit & Deploy.

Processing Settings

Post‑Processing

Pipeline: Pipeline or Pack to process data before sending the data out using this output.

Advanced Settings

DNS resolution period (sec): Re-resolve any hostnames after each interval of this many seconds, and pick up destinations from records. Defaults to 0 seconds. A value of 0 means every datagram sent will incur a DNS lookup. A non-zero value improves performance but can reduce the overall reliability if the DNS records for the downstream NetFlow collectors change frequently.

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Internal Fields

The NetFlow Destination forwards the __netflowRaw field that is generated from a Cribl Stream NetFlow Source to downstream NetFlow collectors.

Troubleshooting

The Destination’s configuration modal has helpful tabs for troubleshooting:

Live Data: Try capturing live data to see real-time events as they flow through the Destination. On the Live Data tab, click Start Capture to begin viewing real-time data.

Logs: Review and search the logs that provide detailed information about the delivery process, including any errors or warnings that may have occurred.

Test: Ensures that the Destination is correctly set up and reachable. Verify that sample events are sent correctly by clicking Run Test.

You can also view the Monitoring page that provides a comprehensive overview of data volume and rate, helping you identify delivery issues. Analyze the graphs showing events and bytes in/out over time.