Hey Nick, We’re just using RFC compliant UDP forwarding at this point to a single aggregator. We’d probably spin up a UDP collector/forwarder, to control the flow from a multiple input, multiple output perspective as the most efficient means for implementation. IMO The best route, would just be the ability to parse netflow from a listening UDP socket, and allow the aggregation/forwarding to happen out of scope to metron.
With regards to brand, Cisco, and palo’s primarily. Cheers! From: Nick Allen [mailto:[email protected]] Sent: Wednesday, June 21, 2017 4:00 PM To: [email protected] Subject: Re: Netflow Aggregator data into metron pipeline Hi Ian - How do you get data off of your Netflow aggregators; a TAP/SPAN port? Care to share the brand/make? On Wed, Jun 21, 2017 at 2:57 PM, Ian Abreu <[email protected]<mailto:[email protected]>> wrote: Hey All, We've got an architecture which aggregates multiple tiers of netflow data f= or ingestion to a much more centralized point of ingestion. Because of this= , it'd be prohibitive to go and spin up an entirely separate architecture j= ust for getting IPFIX data to be parsed by Kafka, and into Metron. My question: Can we/how do we use our existing netflow aggregators, and lev= erage IPFIX parsing so that our existing data + aggregation can be used and= ingested by kafka? Thanks in advance!
