I have Stream application installed on Universal Forwarder and I've setup streamfwd as a receiver for Netflow. To be more precise, my architecture is following one:
- network traffic is mirrored to the server where UF is running
- server runs pmacctd which ingests mirrored traffic from network interface, generates Netflow data and sends it to UF
- UF sends Netflow to indexers.
Flows are comming fine, but I noticed that values of flow_start_time and flow_end_time are wrong. According to the documentation [1], these fields should have absolute time in Epoch seconds, but what I get is something entirely different. For example, 1757846, which corresponds to Wednesday, January 21, 1970 8:17:26 AM in GMT. Before Splunk, I was sending these flows to another collector, and had no issues with timestamps. Any ideas where to start troubleshooting?
I did notice that values of these fields increase when time goes by, as expected. It's just the values which are wrong. Sounds like relative value, but it's not clear where it starts from. Date on the server which runs UF is correct.
[1]: https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/FlowProtocols
↧