Effective network monitoring and diagnostics depend heavily on the proper collection and analysis of NetFlow and Syslog data. Auvik’s TrafficInsights feature relies on this data to provide visibility into traffic patterns and network behavior. However, several common issues can prevent this data from being properly collected or analyzed. Below are four frequent problems that network administrators may encounter, along with guidance on identifying and resolving them.
1. IP Address Not Scanned in Managed Networks
Issue:
For NetFlow or Syslog data to be correctly attributed and analyzed, the IP address sending the data must be scanned and recognized by Auvik. This can become problematic when a device has multiple IP addresses and is discovered using an IP different from the one sending the NetFlow or Syslog traffic.
Impact:
Unrecognized IPs result in TrafficInsights not displaying or analyzing traffic data from those sources, leading to blind spots in network visibility.
Resolution:
Ensure that all relevant IP addresses for devices sending NetFlow packets belong to a subnet that is set to Scan under Manage Networks. This allows Auvik to scan and associate the sending IP with the correct device.
2. Port Binding Conflicts on the Collector
Issue:
Auvik uses specific ports to collect NetFlow and Syslog data. If another application is already bound to these ports on the collector machine, Auvik will not be able to listen on them.
Impact:
Port binding conflicts prevent Auvik from receiving any NetFlow or Syslog data, resulting in a complete loss of monitoring from affected devices.
Resolution:
Verify that the required ports for NetFlow (UDP 2055, 4739, or 9996) and Syslog (UDP 514) are not being used by other applications. Use tools like netstat -abno or ss to identify port bindings on the collector.
3. Data Not Reaching the Collector
Issue:
Network traffic may be blocked before it reaches the collector due to misconfigured firewall rules or Access Control Lists (ACLs). NetFlow and Syslog are one-way protocols—the data goes from the device to the collector. The collector does not send anything to the device.
Impact:
Even if everything is configured correctly on Auvik, the absence of incoming NetFlow or Syslog traffic to the collector prevents data collection and analysis.
Resolution:
Use packet capture tools (such as Wireshark or tcpdump) on the collector to confirm whether the expected traffic is arriving. If not, check firewall configurations, ACLs, and routing paths to ensure proper delivery of NetFlow and Syslog packets.
Packet capture filters:
-
Wireshark:
udp.port == <PORTNUMBER> -
tcpdump:
tcpdump -i <INTERFACENAME> udp port <PORTNUMBER>
4. Windows Firewall Blocking Inbound NetFlow/Syslog Traffic
Issue:
The Windows Firewall on a machine designated to receive NetFlow or Syslog traffic may block inbound UDP traffic on the respective ports (UDP 514 for Syslog, and ports like 2055, 4739, or 9996 for NetFlow). This can occur if no rules explicitly allow this traffic or if the default firewall policy blocks unsolicited inbound connections.
Impact:
The monitoring or collector service (e.g., the Auvik collector running on the Windows machine) does not receive NetFlow or Syslog data from network devices. This results in missing flow analytics, incomplete device activity reporting, or degraded alerting based on logs.
Resolution:
Identify required ports:
-
NetFlow: UDP 2055, 4739, 9996
-
Syslog: UDP 514
Create inbound firewall rules:
-
Open Windows Defender Firewall with Advanced Security.
-
Go to Inbound Rules > New Rule.
-
Choose Port > UDP > Enter the required port(s).
-
Select Allow the connection, and apply to the appropriate profiles (Domain, Private, Public).
-
Name the rule descriptively (e.g., "Allow NetFlow UDP 2055").
Verify:
-
Ensure the Auvik collector or Syslog service is listening on the specified ports (e.g.,
netstat -an | find "2055"). -
Use a packet capture tool (e.g., Wireshark) to confirm reception of UDP traffic.
-
Confirm that data begins appearing in Auvik.
By systematically checking these three areas—IP scanning, port availability, and traffic delivery—network administrators can effectively troubleshoot and resolve common issues that impact the functionality of TrafficInsights and Syslog monitoring.