• State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 24 subscribers
  • Views 2596 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

netflow and samplicator

dclick

I understand that SolarWinds cant provide support for Samplicator - so I am asking the community at large.

I have just installed samplicator, and though I am getting Netflow from the samplicator server to my NTA, its not spoofing the IP address - everything is showing up as coming from the samplicator server.  Here is my command line -

/usr/local/bin/samplicate -S -f -s0.0.0.0 -p2055 <orion_NPM_ip>/2055.

I have about 15 (cisco) routers sending the the "NMS-2" (samplicator) server..

pastedImage_0.png

any thoughts?

  • 0

    Are you running it as root?

    I believe most, if not all, Cisco devices support multiple collectors being configured on their own...

  • 0

    Yes, I am running as root.  I am attempting to simplify our configurations - one syslog entry, one netflow entry. replicating the data from there makes life much easier, for us.

  • 0 in reply to dclick

    It also adds one more single point of failure.  Not a fan of that concept.  I would only use something like the samplicator when I needed to, either had a netflow source that wouldn't send to multiple collectors if I needed it, or maybe use it as a proxy for a netflow source that didn't have direct access to the collector.   A couple lines in a configuration are more reliable than another box forwarding the messages for you.

    At a previous job someone had set up a pair of high-end syslog collectors as a mirror of each-other.   Only one would receive syslog messages and it was set up to forward to the "backup".  This was on a top-secret network that had no outside connectivity.  One day someone noticed that the main collector had been down for several days.   Had we set it up with two different logging entries, it wouldn't have been a problem.  But with the way it was set up, with the primary box going down there was no way for the backup box to continue getting the syslogs so we lost out on several days worth of potentially important information.

    Similar setup to what you're describing.  What will you do if this intermediate box fails?  Will you be ok with losing data for that time period on both of your collectors?

  • 0 in reply to cnorborg

    Thanks for your comments, but does not help me solve my problem.

  • 0 in reply to dclick

    I have used samplicator a while back. If I recall correctly, the -S spoofed the address when I tried. I think it sources from port 2000 by default. Maybe remove the -s and the -p option and have one of the flow sources send to port 2000 of your samplicator? That way you startup the samplicator with all the defaults and just pass -S and the destinations as arguments. Just a troubleshooting thought.

  • 0 in reply to HolyGuacamole

    Were either of you successful in getting this tool to work?  Most of our customers have leveraged nProbe in the past for this kind of functionality. 

  • 0

    I have it running, and love it. So easy to do..

    I think I ended up upgrading my packages - and make sure is "-S" (case is very important.)

    cant remember doing anything else,.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.