Technology developed by NetFlow Logic allows users to effectively solve a broad spectrum of network management and security issues that network operators are facing today.

Our core product, NetFlow Optimizer (NFO), is a powerful real-time processing engine for any type of flow data, including NetFlow, sFlow, J-Flow, and IPFIX.

As flow data is very voluminous it is not practical to use the data directly translated from binary to text or syslog for analysis and visualization. Therefore, NetFlow Optimizer can generate multiple syslogs, each optimized for a specific purpose. NetFlow Optimizer (NFO) uses patented streaming technology which allows processing of flow data up to 10 times faster than competitive products. It can simply translate flow data 1:1 for storage and forensic analysis purposes to satisfy compliance requirements or it can produce optimized and enriched NetFlow records which can then be visualized and processed by other systems.

NetFlow Optimizer enhances the capabilities and value of existing SIEM systems and log analyzers.

Adding flow technology to your network monitoring and analysis tools has never been simpler or more affordable.

• Protect Your Investment.
• Reduce Storage and Bandwidth Costs.
• Accelerate ROI and advance your business goals!

NetFlow Optimizer delivers a critical component for complete network visibility and expands the use of your existing log analyzers and SIEM Systems from vendors like Splunk, VMware, Sumo Logic, etc.

NFO processing engine provides aggregation of records from multiple flow data and log sources, converts it into standard syslog format, and filters to eliminate redundant data. This allows you to save money on storage hardware and license fees for visualization software, which is often based on the amount of processed traffic.

NetFlow Optimizer provides real-time network monitoring and enables advanced level of operational intelligence and security for virtual and physical networks.

NFO delivers the critical component for complete network visibility by extracting valuable data from NetFlow, enriching it with additional information, and making available for correlation with other machine data. It is complementary to traditional network security solutions that can be bypassed by unknown malware and well prepared targeted attacks. When used together with Security Information Event Management (SIEM) systems, it provides an effective solution for detecting advanced security threats such as DDoS attacks, botnets, insider threats, data leakage, etc.

NetFlow Optimizer Benefits

NFO is a software solution. No investment in expensive proprietary hardware is required;
It provides unmatched performance and can process up to 350,000 records per second on an 8-core machine with 16GB of memory. Millions of flow records per second can be processed if multiple instances of NFO are deployed;
Unique real-time consolidation and archiving technology optimizes the flow data sent to the SIEM, without losing the accuracy of the information;
NFO can be deployed in a virtual environment and scales horizontally and vertically with the growth of the enterprise network.

Key Product Features

Provides multi-dimensional views of your network traffic by summing up flow counts, bytes, packets and other flow characteristics per protocol, per application, per network host or per subnet over a period of time, and reports loads on network devices, top bandwidth consumers, and servers’ response times;
Enables actionable virtual and physical network monitoring. Identifies VMs affected by physical network outages. Visualizes virtual and physical network data paths. Supports point-to-point communication tracing: VM – VM, VM – physical host, VM – VM over VXLAN;
Identifies impact of physical network devices and interface failures on the virtual network;
Monitors network devices and interface loads. Measures bandwidth consumption for capacity planning. Identifies applications and users that consume bandwidth;
Enriches flow data with current Reputation, GEO IP and DNS data;
Identifies security threats and traces current known threat sources;
Initiates alerts of anomalous network host behavior and anomalous network traffic including “low and slow” DDoS attacks;

NetFlow Optimizer Deployment

NetFlow Optimizer receives flow data from your network devices, typically sent over UDP protocol. NetFlow analytics and/or original flow data are sent from NFO to any system capable of receiving syslogs over UDP protocol, such as Splunk indexers or Splunk forwarders, rsyslog or syslog-ng, VMware vRealize Log Insight, Sumo Logic, Elastic stack (ELK), or any other SIEM system. These systems store flow information where it can be correlated with other machine data, visualized in dashboards, searched and used for creating alerts.

Deployment with Splunk Enterprise

Combined indexer/search head

In single-instance Splunk Enterprise deployments, where one instance handles everything from input through indexing to search, NFO should be installed on a different server or virtual machine(VM) than the one on which the combined search head / indexer is installed. EDFN could be installed on the same server or VMon which NFO is installed or on a different one. This diagram shows where the processing components reside on the various processing tiers. This type of deployment is suitable for a department or a small enterprise.

In this diagram, starting from the bottom up:

Network device tier. Configure your routers, switches, firewalls, and virtual switches to send flow data to NFO.
NFO / EDFN tier. NFO receives flow data, performs preprocessing and optimization, enriches it with external data provided by EDFN, and sends it to Splunk indexer for storage and indexing.
Splunk tier. You need to install both Technology Add-on for Netflow (TA) and NetFlow Analytics for Splunk and other Apps here. TA defines all the necessary field names and tags for flow data to be CIM-compliant. The Apps provide dashboards, drill downs, searches, and alerting.

Separate Indexers, Search Heads, and Universal Forwarders

In distributed Splunk Enterprise deployments, you may add indexers and search heads to boost performance, and forwarders to ingest data. Typically, in these deployments, universal forwarder (UF) is the right choice. UF can be co-located on the machines that are generating data.

In this diagram, starting from the bottom up:

Network device tier. Configure your routers, switches, firewalls, and virtual switches to send flows data to NFO. Picture firewall and vds
NFO / EDFN /Splunk UF tier. NFO receives flow data, performs preprocessing and optimization, enriches it with external data provided by EDFN, and sends it to Splunk universal forwarder (UF). UF then forwards data to an indexer.
Splunk indexing tier. Technology Add-on for Netflow (TA) is installed here. TA defines all the necessary field names and tags for flow data to be CIM-compliant.
Splunk search head tier. You need to install both Technology Add-on for Netflow (TA) and NetFlow Analytics for Splunk and other Apps here. Note that you install the Technology Add-on for Netflow both here and in splunk indexing tier.

Multi-instance Indexers, Search Heads, Clusters, and Forwarders

In a large enterprise deployment you may have several search heads or a search cluster, several indexers or an index cluster, and many forwarders. You may also have an rsyslog or syslog-ng infrastructure for high availability ingestion of syslog data.

In this diagram, starting from the bottom up:

Network device tier. Configure your routers, switches, firewalls, and virtual switches to send flows data to NFO.
NFO / EDFN tier. NFO receives flow data, performs preprocessing and optimization, enriches it with external data provided by EDFN, and sends it to Splunk forwarder orrsyslog or syslog-ng.
Splunk forwarder / rsyslog / syslog-ng tier. This is the data input for Splunk tier. In this tier you may have Splunk universal or heavy forwarders, and rsyslog / syslog-ng infrastructure.
Splunk indexing tier. Technology Add-on for Netflow (TA) is installed here. TA defines all the necessary field names and tagsfor flow data to be CIM-compliant.
Splunk search head tier. You need to install both Technology Add-on for Netflow (TA) and NetFlow Analytics for Splunk and other Apps here. Note that you install the Technology Add-on for Netflow both here and in splunk indexing tier.

Deployment with Splunk Cloud

NetFlow Logic’s Technology Add-on for NetFlow and NetFlow Analytics for Splunk App both certified and vetted for Splunk Cloud deployment. Whether your organization has self-service or managed Splunk Cloud deployment, you need to install NFO and EDFN in your data center. Splunk forwarders are used to ingest data to Splunk Cloud. Select one of the above scenarios with universal forwarder or heavy forwarder that matches your syslog collection infrastructure.

In this diagram, starting from the bottom up:

Network device tier. Configure your routers, switches, firewalls, and virtual switches to send flows data to NFO.
NFO / EDFN tier. NFO receives flow data, performs preprocessing and optimization, enriches it with external data provided by EDFN, and sends it to Splunk forwarder or rsyslog or syslog-ng.
Splunk forwarder / rsyslog / syslog-ng tier. This is the data input for Splunk tier. In this tier you may have Splunk universal or heavy forwarders, and rsyslog / syslog-ng infrastructure.
Splunk Cloud tier. You need to install both Technology Add-on for Netflow (TA) and NetFlow Analytics for Splunk and other Apps here.

Deployment with VMware vRealize Log Insight

VMware vRealize Log Insight ingests streaming syslogs directly over UDP protocol, or from Log Insight Agents. NetFlow Logic provides Network Metrics Content Pack for Log Insight, which should be installed in Log Insight server. The Content Pack provides dashboards, tables, and intuitive graphsfor security and operational intelligence on both physical and virtual networks.

Ingest flow data directly from NFO

NFO should be installed on a different virtual machine (VM) than the one on which the Log Insight is installed. EDFN could be installed on the same VM on which NFO is installed or on a different one.

In this diagram, starting from the bottom up:

Network device tier. Configure your routers, switches, firewalls, and virtual switches to send flows data to NFO.
NFO / EDFN tier. NFO receives flow data, performs preprocessing and optimization, enriches it with external data provided by EDFN, and sends it to Splunk forwarder or rsyslog or syslog-ng.
Log Insight server tier. Network Metrics Content Pack for Log Insight is installed here.

Ingest flow data with Log Insight Agent

Your organization may have an rsyslog or syslog-ng infrastructure for high availability ingestion of syslog data. NFO should be installed on a different virtual machine (VM) than the one on which the Log Insight is installed. EDFN could be installed on the same VM on which NFO is installed or on a different one.

In this diagram, starting from the bottom up:

Network device tier. Configure your routers, switches, firewalls, and virtual switches to send flows data to NFO.
NFO / EDFN tier. NFO receives flow data, performs preprocessing and optimization, enriches it with external data provided by EDFN, and sends it to Splunk forwarder or rsyslog or syslog-ng.
Log Insight Agent/ rsyslog / syslog-ng tier. This is the data input for Log Insight server tier. In this tier you may have Linux or Windows LI Agents, and rsyslog / syslog-ng infrastructure.
Log Insight server tier. Network Metrics Content Pack for Log Insight is installed here

Standard System Requirements

Hardware/Virtual Appliance
16GB RAM, 8 Cores CPU, 20 GB disk space.

Virtual Appliance
VMware ESXi 5.x and above

Operating System
Linux CentOS 5.5, 6.5, 7 – Debian 6 – RHEL 5.5, 6.5, 7 – SUSE ES 11 (kernel 2.6+ 64-bit)
Windows Server 2008 R2, 2012, and 2012 R2 (64-bit)

Quick Navigation;