Filtering/Excluding Specific Subnet Flow Data

Eric Kinzie eric at qosient.com
Tue Nov 7 15:01:50 EST 2017


On Tue Nov 07 12:54:56 -0500 2017, Drew Dixon wrote:
> Hi there,
> 
> So we are still testing our setup with radium/racluster etc. currently
> collecting netflow data directly from routers using radium and still
> testing processing it with various racluster configurations.
> 
> My main question is surrounding how to properly exclude/filter out a subnet
> from our end result data, the desired filter syntax itself seems to be
> working using ra from the cmdline.
> 
> I figured the best way to do that was tell radium to just not even pay
> attention and not collect that data off the wire but in testing that and
> reading the docs it looks like that may not be possible when collecting
> netflow formatted data directly (with no argus server generating data)?
> 
> I tested out my filter using ra and confirmed the filter syntax and that
> it's filtering out the subnet traffic for icmp/tcp/udp protocols mostly
> like I want but in trying to implement this filter in my radium.conf file
> using the RADIUM_FILTER parameter it does not seem to be working.  I found
> (somewhere in the docs, can't remember exactly where) that this sounds like
> it might be designed to send the filter string only to a remote argus
> server and that it only works that way and doesn't work as a local radium
> filter when collecting directly from network devices?  I've been using
> the RADIUM_CISCONETFLOW_PORT parameter to specify the interface and port to
> listen for the netflow data on.  I also tested this using
> RADIUM_ARGUS_SERVER=cisco://192.xxx.xxx.xxx:9996 for the listener parameter
> both along with the RADIUM_FILTER parameter and neither are working to
> filter the data out from being written to the radium.out file.
> 
> Is there a way that I'm just missing thus far to get a radium filter to
> work and apply to the netflow data coming into my server?  If not, what
> would be the best approach to doing this?
> 
> I also tried doing so using aggregation policy filters with
> racluster/racluster.conf but it doesn't seem to be working very well doing
> specific filtering there I am still seeing a lot of the flow data from the
> subnet I'm attempting to filter out but it appears to work fine from the
> command line using ra to read the radium data but the racluster filter
> doesn't work as well.  I might be doing something wrong with the racluster
> filters but the same filter worked great from the command line using the ra
> client tool.
> 
> Thank you much in advance,
> 
> -Drew

Drew, I think you're correct that RADIUM_FILTER always applies a
remote filter.  It might be possible to get local filtering by
supplying the filter string on the command line.  I don't have a
convenient source of netflow to test this with, but try something
similar to:

% radium ...your parameters here...  - local net 192.168.5.0/24

Eric



More information about the argus mailing list