EventSentry Help v5.1

EventSentry can parse the following flow protocols:

 

•NetFlow v1

•NetFlow v5

•NetFlow v9

•IPFIX

•sFlow

 

NetFlow monitoring supports the following functionality:

 

•Visualization, including geolocation, of all network communication sent through NetFlow

•Real-time alerts for traffic to/from certain IP ranges, countries, states, cities, zip codes or city

•Correlation with network logon data to associate network traffic with user names (requires monitoring workstations with EventSentry)

 

 

 

To activate the NetFlow collector, check the Enable NetFlow Collector check box on the "General" tab and configure either the database or event log feature. The default NetFlow port is 2055, the default sFlow port is 6343. Both can be changed to another port if necessary. After enabling the NetfFlow Collector, you can configure your NetFlow devices to forward data to the EventSentry server on the configured NetFlow ports.

 

Aggregate Flows

To conserve disk space in the database, the NetFlow collector can group multiple flows which are received in close succession of each other. Individual packet details may be lost when this option is activated, but database space is significantly reduced.

 

Calculate Bandwidth

Determines the bandwidth usage of an interface and offers additional metrics compared to traditional SNMP-based bandwidth monitoring. The bandwidth interval determines how often bandwidth statistics are stored in the database.

 

•Utilization (in %)

•Bytes

•Packets

•Bytes per Packet

 

Utilization

Calculating the utilization of an interface requires that the NetFlow component knows the maximum speed of an interface, which it tries to determine automatically via SNMP. The maximum speed of an interface can also be specified using variables if the interface speed cannot be determined, or if the maximum speed of the interface does not reflect the actual available bandwidth (e.g. a router has a 1Gb interface but only 100MBit available). Speeds are set in MBit.

 

 

The following variables are supported:

 

•NFSPEED

•NFSPEED[INTERFACENAME]

 

In order to set a variable, the NetFlow exporter needs to first be added to a group in the management console, and required SNMP authentication credentials need to be set. Once access to the NetFlow exporter is confirmed (Groups -> Check Status), a variable can be assigned by selecting the NetFlow exporter and clicking "Set Variables" in the ribbon.

 

 

To add a new variable, click the Add button and specify both a variable name and value. If the speed is set via the NFSPEED variable, then the configured speed will be applied to any interface on the NetFlow exporter. To set the speed for a specific interface, the interface needs to be appended to the variable name. E.g., to set the maximum available bandwidth of the eth0 interface to 100MBit, the NFSPEEDETH0 variable can be set to 100. Interface names are usually displayed on the host inventory page in the web reports.

 

 

Assigning a custom interface speed

 

The NetFlow component will log the following events under the Network Services event source during start-up to confirm which interface speeds will be effective:

 

1005: The interface speed was determined via SNMP

1006: The interface speed was determined via a variable

1007: The interface could not be determined via SNMP and was not set with a variable, bandwidth utilization cannot be calculated at this time

 

Bytes

Stores the number of bytes that were sent and received by the interface during the collection interval.

 

Packets

Stores the number of packets that were sent and received by the interface during the collection interval.

 

Bytes per Packet

Calculates the average packet size during the collection interval.

 

 

Authorized IP Addresses / Networks

For enhanced security you will have to specify from which hosts the NetFlow collector will accept packets. Host names are not allowed in this list, only IP addresses may be specified; the CIDR notation is supported.