You can use our guided install process to install the network flow monitoring agent, or install the agent manually. This doc covers prerequisites to start this install process and a step-by-step walk through of your install options.
Prerequisites
Before you can start, you'll need to sign up for a New Relic account. If you choose to install the agent manually, you also need:
Source devices must be configured to send flow data to the host running the network monitoring agent. Here's how to configure network flow export in some devices (this is not an all-inclusive list):
Network flow monitoring supports the four primary types of network flow data and their derivatives. When running the agent, you will specify which major type you want to monitor using the -nf.source option.
Network flow version
-nf.source value
IPFIX
ipfix
NetFlow v5
netflow5
NetFlow v9
netflow9
sFlow
sflow
AppFlow
netflow5
Argus
netflow5
cflowd
netflow5
J-Flow
netflow5
NetStream
netflow5
RFlow
netflow5
Cisco NSEL
netflow9
Cisco ASA
asa
Cisco NBAR
nbar
Palo Alto Networks
pan
Important
The agent only supports monitoring one version of network flow at a time. If you want to monitor several versions, each will require a separate agent.
When should you scale network flow collection?
When planning your strategy for collecting network flows at scale, New Relic recommends 1 CPU per 2000 flows-per-second (120,000 flows-per-minute). Deciding whether to horizontally scale multiple agents to distribute load or vertically scale a few larger agents to consolidate management is a matter of personal preference.
Set up network flow data monitoring
For most use cases, we recommended our guided install to set up network flow data monitoring. If your set up is more advanced with custom configurations, then we'd recommend installing manually.
Copy the snmp-base.yaml file to the local $HOME directory of your Docker user, and discard the container by running
bash
$
cd.
$
id=$(docker create kentik/ktranslate:v2)
$
dockercp$id:/etc/ktranslate/snmp-base.yaml .
$
dockerrm-v$id
Edit the snmp-base.yaml file, and add your network flow devices inside the devices dictionary key with the following structure:
devices:
# This key and the corresponding 'device_name'
# need to be unique for each device
edge_router:
device_name: edge_router
device_ip: 10.10.1.254
flow_only:true
# Optional user tags
user_tags:
owning_team: net_eng
environment: production
Important
If you're already monitoring SNMP data devices that will also send network flows, you'll want to ensure that the value for device_name is identical for both configuration files to ensure the flow telemetry is attributed to the right entity in the New Relic UI.
Run ktranslate to listen for network flows by running:
bash
$
docker run -d--name ktranslate-syslog --restart unless-stopped --pull=always --net=host \
>
-v`pwd`/snmp-base.yaml:/snmp-base.yaml \
>
# Replace with your license key
>
-eNEW_RELIC_API_KEY=$YOUR_NR_LICENSE_KEY\
>
kentik/ktranslate:v2 \
>
-snmp /snmp-base.yaml \
>
# Replace with your account ID
>
-nr_account_id=$YOUR_NR_ACCOUNT_ID\
>
# If your organization is located in Europe, add the following flag:
$
# -nr_region=EU \
$
# If you want to use FedRAMP, add the following flag to use the FedRAMP authorized endpoints:
$
# -nr_region=GOV \
$
-metrics=jchf \
>
-tee_logs=true \
>
# Use this field to create a unique value for `tags.container_service` inside of New Relic
>
-service_name=$UNIQUE_NAME\
>
# This argument disables SNMP collection from the container
>
-flow_only=true \
>
# This value should match the network flow version you export to this container
>
-nf.source=sflow \
>
nr1.flow
Tip
This command assumes collection of sflow data. If you are collecting other
flow types, you should change the suffix in the --name flag for the
container and update the -nf.source and -service_name flags as necessary.
Investigate your network flow data in the New Relic UI.
Find and use your metrics
All network flow logs exported from the ktranslate container use the KFlow namespace, via the New Relic Event API. Currently, these are the default fields populated from this integration:
Attribute
Type
Description
application
String
The class of program generating the traffic in this flow record. This is derived from the lowest numeric value from l4_dst_port and l4_src_port. Common examples include http, ssh, and ftp.
device_name
String
The display name of the sampling device for this flow record.
The target IP:Port tuple for this flow record. This is a combination of dst_addr and l4_dst_port.
dst_geo
String
The target country for this flow record, if known.
in_bytes
Numeric
The number of bytes transferred for ingress flow records.
in_pkts
Numeric
The number of packets transferred for ingress flow records.
input_port
Numeric
If_Index value for the interface at the source of this flow record.
l4_dst_port
Numeric
The target port for this flow record.
l4_src_port
Numeric
The source port for this flow record.
output_port
Numeric
If_Index value for the interface at the destination of this flow record.
protocol
String
The display name of the protocol used in this flow record, derived from the [numeric IANA protocol number](https://www.iana.org/assignments/ protocol-numbers/protocol-numbers.xhtml).
provider
String
This attribute is used to uniquely identify various sources of data from ktranslate. Network flow logs will always have the value of kentik-flow-device.
sample_rate
Numeric
Sampling rate applied by either the sampling device configuration, or the sample_rate argument in ktranslate.