Graylog2 · annie-zempel · Apr 7, 2025 · Feb 14, 2025 · Feb 21, 2025 · Feb 24, 2025
diff --git a/Content/Content Packs/NetFlow Content Pack.html b/Content/Content Packs/NetFlow Content Pack.html
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd">
+    <head><title>NetFlow Content Pack</title>
+        <link href="../Resources/TableStyles/Alternate-Row-Color.css" rel="stylesheet" MadCap:stylesheetType="table" />
+    </head>
+    <body>
+        <MadCap:snippetBlock src="../Resources/Snippets/IlluminateBanner.flsnp" />
+        <p>NetFlow is a network protocol that collects and monitors IP traffic flow data, providing insights into network usage, security threats, and performance. It helps analyze traffic patterns, detect anomalies, and troubleshoot network issues by capturing details such as source/destination IPs, ports, protocols, and bandwidth usage.</p>
+        <h2>Requirement(s)</h2>
+        <ul>
+            <li>
+                <p>NetFlowV5, NetFlowV9, IPFIX</p>
+            </li>
+            <li>
+                <p>Graylog Server with a valid enterprise license, running Graylog version 6.0.1+.</p>
+            </li>
+        </ul>
+        <h2>Stream Configuration</h2>
+        <p>This technology pack includes one stream:</p>
+        <ul>
+            <li>
+                <p>“Illuminate:NetFlow Messages”</p>
+            </li>
+        </ul>
+        <p>
+            <section class="infoBox">
+                <div class="title" style="font-weight: normal;"><b>Hint</b>:  If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.</div>
+            </section>
+        </p>
+        <h2>Index Set Configuration</h2>
+        <p>This technology pack includes one index set definition:</p>
+        <ul>
+            <li>
+                <p>“NetFlow Messages”</p>
+            </li>
+        </ul>
+        <p>
+            <section class="infoBox">
+                <div class="title" style="font-weight: normal;"><b>Hint</b>:  If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.</div>
+            </section>
+        </p>
+        <h2>Log Collection</h2>
+        <p>NetFlow utilizies <a href="https://go2docs.graylog.org/current/getting_in_log_data/netflow_input.htm">the NetFlow input</a> that ingests multiple NetFlow product type logs in JSON format.</p>
+        <h2>Log Format Example</h2>
+        <p><code class="linecode">NetFlowV5 [192.168.81.254]:67 &lt;&gt; [192.168.81.134]:68 proto:17 pkts:1 bytes:328</code>
+        </p>
+        <h2>What is Provided</h2>
+        <ul>
+            <li>
+                Rules to normalize and enrich NetFlow log messages.
+            </li>
+        </ul>
+        <h2>NetFlow Log Message Processing</h2>
+        <p>The Illuminate processing of NetFlow log messages provides the following:</p>
+        <ul>
+            <li>
+                Field extraction, normalization, and message enrichment for NetFlow log messages.
+            </li>
+            <li>
+                GIM Categorization of the following messages:
+            </li>
+        </ul>
+        <table style="width: 100%;mc-table-style: url('../Resources/TableStyles/Alternate-Row-Color.css');" class="TableStyle-Alternate-Row-Color" cellspacing="21">
+            <col class="TableStyle-Alternate-Row-Color-Column-Column1" />
+            <col class="TableStyle-Alternate-Row-Color-Column-Column1" />
+            <col class="TableStyle-Alternate-Row-Color-Column-Column1" />
+            <thead>
+                <tr class="TableStyle-Alternate-Row-Color-Head-Header1">
+                    <th class="TableStyle-Alternate-Row-Color-HeadE-Column1-Header1">NetFlow Logtype</th>
+                    <th class="TableStyle-Alternate-Row-Color-HeadE-Column1-Header1">GIM&#160;Category</th>
+                    <th class="TableStyle-Alternate-Row-Color-HeadD-Column1-Header1">GIM&#160;Subcategory</th>
+                </tr>
+            </thead>
+            <tbody>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body1">
+                    <td class="TableStyle-Alternate-Row-Color-BodyB-Column1-Body1">filter</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyB-Column1-Body1">network</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyA-Column1-Body1"><code class="linecode">network.flow</code>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+        <h2>NetFlow Overview Spotlight</h2>
+        <p>The Illuminate Core Network Overview spotlight can be used to view NetFlow data.</p>
+    </body>
+</html>