On This Page

Home / Stream/ Integrations/ Destinations/NetFlow Destination

NetFlow Destination

The NetFlow Destination exclusively forwards NetFlow v5 and v9 UDP traffic to NetFlow collectors. The NetFlow Destination relies on the __netflowRaw field that is generated from a Cribl Stream NetFlow Source. The raw NetFlow packet data is sent directly to the configured NetFlow collector(s). Events without __netflowRaw are discarded.

Type: Non-Streaming | TLS Support: No | PQ Support: Yes

Requirements

  • Enable pass-through: The NetFlow Source must have Enable pass-through toggled on to generate events containing __netflowRaw.
  • Routing: Ensure only events with __netflowRaw are routed to the NetFlow Destination.

Raw Forwarding

For both NetFlow v5 and v9, Cribl Stream:

  • Can forward NetFlow packets to other NetFlow collectors. However, it cannot modify the contents of the incoming packet. In other words, Cribl Stream forwards the packets verbatim as they come in.
  • Only routes NetFlow packets from upstream Exporters and cannot generate its own NetFlow packets.
  • Cannot send non-NetFlow input data to NetFlow collectors.

Beyond Raw Forwarding

While the NetFlow Destination relies solely on __netflowRaw, other fields such as srcAddr and packets generated by the NetFlow Source are used for:

  • Non-NetFlow Destinations: Providing structured, human-readable data for systems like Splunk or Amazon S3.
  • Analytics: Supporting filtering, enrichment, and aggregation within Cribl Stream.
  • Internal processing: Enabling Pipeline logic and routing decisions.
  • Validation: Assisting in debugging and verifying parsed NetFlow data.

Configure a NetFlow Destination

  1. On the top bar, select Products, and then select Cribl Stream. Under Worker Groups, select a Worker Group. Next, you have two options:
    • To configure via QuickConnect, navigate to Routing > QuickConnect (Stream) or Collect (Edge). Select Add Destination and select the Destination you want from the list, choosing either Select Existing or Add New.
    • To configure via the Routes, select Data > Destinations or More > Destinations (Edge). Select the Destination you want. Next, select Add Destination.
  2. In the New Destination modal, configure the following under General Settings:
    • Output ID: Enter a unique name to identify this NetFlow definition. If you clone this Destination, Cribl Stream will add -CLONE to the original Output ID.
    • Description: Optionally, enter a description.
    • NetFlow Destinations: Add the downstream NetFlow collectors to which Cribl Stream should send data.
      • Address: Hostname or IP address of the NetFlow collector.
      • Port: Port number to connect to on the NetFlow collector. Defaults to 2055, which is the standard port for NetFlow traffic.
  3. Next, you can configure the following Optional Settings:
    • Tags: Optionally, add tags that you can use to filter and group Destinations on the Destinations page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
  4. Optionally, you can adjust the Processing and Advanced settings outlined in the sections below.
  5. Select Save, then Commit & Deploy.

Processing Settings

Post‑Processing

Pipeline: Pipeline or Pack to process data before sending the data out using this output.

Advanced Settings

DNS resolution period (sec): Re-resolve any hostnames after each interval of this many seconds, and pick up destinations from records. Defaults to 0 seconds. A value of 0 means every datagram sent will incur a DNS lookup. A non-zero value improves performance but can reduce the overall reliability if the DNS records for the downstream NetFlow collectors change frequently.

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Internal Fields

The NetFlow Destination forwards the __netflowRaw field that is generated from a Cribl Stream NetFlow Source to downstream NetFlow collectors.

Troubleshooting

The Destination’s configuration modal has helpful tabs for troubleshooting:

Live Data: Try capturing live data to see real-time events as they flow through the Destination. On the Live Data tab, click Start Capture to begin viewing real-time data.

Logs: Review and search the logs that provide detailed information about the delivery process, including any errors or warnings that may have occurred.

Test: Ensures that the Destination is correctly set up and reachable. Verify that sample events are sent correctly by clicking Run Test.

You can also view the Monitoring page that provides a comprehensive overview of data volume and rate, helping you identify delivery issues. Analyze the graphs showing events and bytes in/out over time.