Filtering/Excluding Specific Subnet Flow Data
Drew Dixon
dwdixon at umich.edu
Tue Nov 7 12:54:56 EST 2017
Hi there,
So we are still testing our setup with radium/racluster etc. currently
collecting netflow data directly from routers using radium and still
testing processing it with various racluster configurations.
My main question is surrounding how to properly exclude/filter out a subnet
from our end result data, the desired filter syntax itself seems to be
working using ra from the cmdline.
I figured the best way to do that was tell radium to just not even pay
attention and not collect that data off the wire but in testing that and
reading the docs it looks like that may not be possible when collecting
netflow formatted data directly (with no argus server generating data)?
I tested out my filter using ra and confirmed the filter syntax and that
it's filtering out the subnet traffic for icmp/tcp/udp protocols mostly
like I want but in trying to implement this filter in my radium.conf file
using the RADIUM_FILTER parameter it does not seem to be working. I found
(somewhere in the docs, can't remember exactly where) that this sounds like
it might be designed to send the filter string only to a remote argus
server and that it only works that way and doesn't work as a local radium
filter when collecting directly from network devices? I've been using
the RADIUM_CISCONETFLOW_PORT parameter to specify the interface and port to
listen for the netflow data on. I also tested this using
RADIUM_ARGUS_SERVER=cisco://192.xxx.xxx.xxx:9996 for the listener parameter
both along with the RADIUM_FILTER parameter and neither are working to
filter the data out from being written to the radium.out file.
Is there a way that I'm just missing thus far to get a radium filter to
work and apply to the netflow data coming into my server? If not, what
would be the best approach to doing this?
I also tried doing so using aggregation policy filters with
racluster/racluster.conf but it doesn't seem to be working very well doing
specific filtering there I am still seeing a lot of the flow data from the
subnet I'm attempting to filter out but it appears to work fine from the
command line using ra to read the radium data but the racluster filter
doesn't work as well. I might be doing something wrong with the racluster
filters but the same filter worked great from the command line using the ra
client tool.
Thank you much in advance,
-Drew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20171107/67a32de6/attachment.html>
More information about the argus
mailing list