Frequently Asked Questions

  • How is the NetFlow Device component licensed?

    NetFlow monitoring by eG Enterprise is licensed by the number of eG External Agents used for collecting flow data from NetFlow-enabled devices. Licensing is NOT restricted by the number of devices/interfaces exporting flow data.

    Each eG External Agent includes one NetFlow Collector, which supports collection of up to 20,000 flows/second.

    Each external agent consumes a Premium Monitor license

  • Are the eG NetFlow tests available for the NetFlow Device component alone?

    The eG NetFlow tests are by default enabled for the NetFlow Device component only. These tests are also mapped to the Fortigate Firewall and Network Node components, but are disabled by default. Using the eG admin interface, you can enable these tests for such components, if you so need.

  • On what port does the eG NetFlow Collector listen?

    By default, the eG NetFlow Collector listens on UDP Port 9996.

  • Can I override the default port?

    Yes, you can. For that, follow the steps below:

    • Login to the system on which the collector service is running.
    • Edit the Netflow.properties file in the <EG_INSTALL_DIR>\Netflow\config directory.
    • By default, the net.bind.port parameter in the file is set to 9996.
    • To change the binding port, provide a different port number against net.bind.port.
    • Then , save the file.

  • Are collector errors logged?

    Yes; errors in the operations of the eG NetFlow Collector are logged in the collector.log file in the <EG_INSTALL_DIR>\NetFlow\logs directory.

  • Can a single eG NetFlow Collector receive NetFlow records from multiple NetFlow devices?

    Yes; a single eG NetFlow Collector is capable of receiving and processing NetFlow records sent by multiple NetFlow devices.

  • What does the collector do if it receives NetFlow records from NetFlow devices that are not managed by eG Enterprise?

    The collector ignores those NetFlow records that are received from NetFlow devices that are not managed by eG Enterprise. Also, in this case, the following message will be logged in the collector.log file in the <EG_INSTALL_DIR>\NetFlow\logs directory:

    30-Oct-2017 12:19:41 WARN Collector:498 - The /61.16.173.233 component is not managed yet. packets from this device is ignored

  • Where does the eG NetFlow Collector store the processed NetFlow data?

    The eG NetFlow Collector processes the NetFlow records it receives from target NetFlow device and stores the processed data in binary files in its <EG_INSTALL_DIR>\NetFlow\data directory. In this directory, the collector creates a sub-folder each for every NetFlow device that it receives NetFlow data from. Upon receipt of NetFlow data from a target device, the collector processes that data, writes the data first to a .tmp file, and then moves it to a .dat file.

  • How frequently does the collector create binary files?

    The collector writes NetFlow data to a binary file every 30 seconds by default. Data will first be written to a *.tmp and then moved to a *.dat file. If there is no data in the *.tmp file, then the *.dat file creation will be delayed by 30 seconds. If the .tmp file is empty for more than 30 minutes, it will be deleted and a new .tmp file will be created with current timestamp.

  • What happens to the binary files after the eG agent reads from them?

    The eG agent deletes the files after reading them. If the eG agent is stopped or if files are not deleted by the agent, then the collector automatically deletes the files.

  • Which are the files the collector deletes?

    Typically, the collector deletes all files that are of an age that is equal to or over 3 times the maximum test frequency of the eG NetFlow tests. For instance, assume that the frequency of the Top Sources, Top Destinations, Top Applications/Protocols, and Top Conversations test is set to 15 minutes, 10 minutes, 5 minutes, and 5 minutes respectively. The maximum frequency therefore is 15 minutes. In this case, the collector will delete all files that are over 45 minutes (3 * 15) old.

  • How frequently does the collector check for old files?

    Every 30 seconds the collector will check the data folder for old files.