Forum Discussion

Kerry_DeVilbiss's avatar
7 years ago

Export Netflow from Windows Server to LogicMonitor

Exporting Netflow from Windows with FlowTraq Exporter

NetFlow is an industry standard network protocol for monitoring traffic flows across a network interface. It is used most commonly by devices like firewalls, routers, and switches, but some software packages make it possible to export Netflow data from a server operating system - in this case Windows - to a Netflow collector (LogicMonitor) for traffic analysis.

Instructions

1.) Register for and download the free FlowTraq Exporter.

2.) Download WinPcap (Windows packet capture library).

3.) Install WinPcap on the server you wish to export Netflow data from.

4.) Install and configure Flowtraq Exporter on the server you wish to export Netflow data from.

  • - Select an interface from which to export Netflow data on the server.
  • - Point the Netflow export data to the LogicMonitor Collector that will be monitoring the device and ingesting the flow data.
  • - The LogicMonitor collector listens for Netflow on port 2055 out-of-box.

5.) Stop the Windows service "ProQueSys Flow Export."

6.) Edit the configuration file located at "C:\Program Files (x86)\ProQueSys\Exporter\flowexport.conf"

  • - Change the bit that says "nf9" to "nf5" to export Netflow in a compatible format.

7.) Start the Windows service 'ProQueSys Flow Export.'

8.) Make sure the device is in LogicMonitor and has Netflow collection enabled, pointing to the correct collector.

9.) Give LogicMonitor 5-10 minutes to start processing the flow traffic and soon you'll have some flow data on the device Traffic tab

  • Anyone know of a way to get this to work with Netflow v9 or 10 / IPFIX ..? I'm interested in capturing data egress to get a fuller picture of things (figuratively and literally)..

  • That is what it was, the IP has to be put in not localhost. Thank you!

  • Are there any trouble shooting steps? I have installed both Winpcap and confirmed it is running and getting traffic by using the winpcapdump. The Server has LogicMonitor installed on it so the Flow Exporter is pointing to local host port 2055 (default I think) and the collector is set to get netflow data, but no data is showing in the Traffic tab. Is there something else I can look at? Also I did change the config file to use nf5 and not nf9. I've also tried to change localhost in the file to the IP of the interface.