NetFlow Logic Integrator for vRealize Operations Insight

NetFlow Logic extends both vRealize Operations and vRealize Log Insight capability. It is an analytics engine for network flow data (NetFlow, IPFIX, sFlow, etc.). It has Log Insight Content Pack and vRealize Operations Management Pack.

The installation has a few stages.

  1. Install and configure NetFlow Integrator.
  2. Configure vSphere, NSX & physical switch to send netflow, sFlow, IPFIX, etc.
  3. Install Log Insight content pack
  4. Install vRealize Operations management pack

The manual is pretty straightforward, so I will only add items that I hope complement it.

Stage 1: NetFlow Integrator

Download it from NetFlow download page. There are actually 3 softwares you need to download:

  1. NetFlow Integrator 2.4.
    • I recommend you use the Windows version. I used the VM form factor, which needs manual Linux command lines.
    • The VM only takes 2 vCPU, 4 GB RAM and 1 network
  2. NFI Updater
    • This small component is installed on top of NFI. It provides NFI with information such as GEOIP, Reputation, etc
  3. NFI Operations Analytics.
    1. This provides the vRealize Operations Insight integration. So there are multiple products to install once you unzip the files.
    2. TP2 Package means this package of software is still in Tech Preview 2. The folks are working closely with VMware team.

I installed the VM appliance. It needs some Linux command lines. Installation of the NFI Updater is also via CLI, as shown below.

NFI 17

Once installed, it’s time to configure it. There are a few things to do

  • Input and Output
  • vSphere and NSX integration
  • Top of Rack
  • Additional NFI modules (optional)

To configure input and output, it’s a matter of specifying the port. Add 9995 (netflow) and 6343 (sflow) and 2055 (IPFIX). I have to add 6343 because Arista uses sflow

NFI config input

Next is the Output. To configure the Log Insight integration, you just need to fill the dialog box below. NetFlow already knows Log Insight, as you can see it has a drop down for it!

NFI Log Insight

You need to configure the vSphere and NSX integration. The current version is limited to 1 vCenter per NFI. If you have multiple vCenter, install another NFI. Multiple NFI can point to the same Log Insight.

NFI 19

To configure the Top of Rack switch, you just need to specify their IP address.

NFI TOR

To get the vRealize Operations integration, change the output method from the default 0 to 2.

NFI 1

Stage 2: vSphere, NSX & Physical Switch

There are many articles on how to configure netflow in vSphere Distributed Switch and in physical switches. An example for Cisco is here, and for Arista is here.

In vCenter, the default collector port for NFI is 9995. You specify the NFI IP address (not hostname). In my example below, it is 172.16.101.90.

NFI 31

To configure IPFIX in NSX, go to the Flow Monitoring and key in the NFI IP address. I use port 2055.

NFI NSX

On the physical switch, here is how to configure Cisco for SNMP v3

Cisco SNMP v3

Stage 3: Log Insight

The Content Pack is not yet made available in Log Insight marketplace. Just upload it manually as per the screenshot below.

NFI 20

Once uploaded, here is what you get

NFI 21

You get additional information about the traffic.

NFI Log Insight 2

And who is talking to who in your network…

NFI Log Insight 3

You can drill down to see the details

MFI 40

Stage 4: vRealize Operations

The Management Pack installation is similar to typical Management Pack. The only thing you need to do is provide the URL

NFI vR Ops

You also need to enable the collection of IP Address

NFI vR Ops 2

Leave a Reply