What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Problem with Custom Flow Rules (customflowrules.osr)

Votes:

0

I have modified the custom flow rules so we can start doing sFlow monitoring. It is working great except for one group/channel/rule. In particular, the custom "Compellent" group (ID 3010 in the XML running on port 3260) is not separating and that traffic is appearing under "Various". I suspect that I have an error in my rule but I can't seem to figure out what the issue is. I have run this through an XML validator and have looked at the group and channel IDs to make sure I don't have overlap so I'm coming here so the experts can help me pinpoint this problem.

The top connections show a high volume of data on Destination Port 3260 between 12:00 and 12:15 Top Connections

Meanwhile, the top protcols is classifying that as "Various" (note the same time range is selected) Top Protocols

If anyone can help look at this XML to see if I have any issues it would be appreciated. The XML is below:

<?xml version="1.0" encoding="ISO8859-1"?>
<groups>
	<group id="3001" name="WWW-In">
		<caption>WWW-In</caption>
		<help>WWW-In</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1001" name="WWW-In">
				<rule>
					(Protocol[TCP] and (SourcePort[80] or SourcePort[8080])) OR (Protocol[TCP] and (SourcePort[443]))         
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3002" name="WWW-Out">
		<caption>WWW-Out</caption>
		<help>WWW-Out</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1002" name="WWW-Out">
				<rule>
					(Protocol[TCP] and (DestinationPort[80] or DestinationPort[8080])) OR (Protocol[TCP] and (DestinationPort[443]))
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3003" name="FTP">
		<caption>FTP</caption>
		<help>FTP</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1003" name="FTP">
				<rule>
					Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])
				</rule>
			</channel>
		</channels>
		</group>
	<group id="3004" name="Mail">
		<caption>Mail</caption>
		<help>Mail Traffic</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1004" name="IMAP">
				<rule>
					(Protocol[TCP] or Protocol[UDP]) and   ( DestinationPort[143] or SourcePort[143]  or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993]  )
				</rule>
			</channel>
			<channel id="1005" name="POP3">
				<rule>
					Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])
				</rule>
			</channel>
			<channel id="1006" name="SMTP">
				<rule>
					Protocol[TCP] and (SourcePort[25] or DestinationPort[25] or SourcePort[587] or DestinationPort[587])
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3005" name="Remote Control">
		<caption>Remote Control</caption>
		<help>Remote Control</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1007" name="RDP">
				<rule>
					(Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389] or SourcePort[3390] or DestinationPort[3390])
				</rule>
			</channel>
			<channel id="1008" name="SSH">
				<rule>
					Protocol[TCP] and (SourcePort[22] or DestinationPort[22])
				</rule>
			</channel>
			<channel id="1009" name="Telnet">
				<rule>
					Protocol[TCP] and (SourcePort[23] or DestinationPort[23])
				</rule>
			</channel>
			<channel id="1010" name="VNC">
				<rule>
				Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900])
				</rule>
			</channel>
			<channel id="1011" name="Kaseya">
				<rule>
					Protocol[TCP] and (SourcePort[5721] or DestinationPort[5721])
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3006" name="Infrastructure">
		<caption>Infrastructure</caption>
		<help>Network Services</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1012" name="DHCP">
				<rule>
					Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68])  )
				</rule>
			</channel>
			<channel id="1013" name="DNS">
				<rule>
					(Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])
				</rule>
			</channel>
			<channel id="1014" name="Ident">
				<rule>
					Protocol[TCP] and (SourcePort[113] or DestinationPort[113])
				</rule>
			</channel>
			<channel id="1015" name="ICMP">
				<rule>
					Protocol[ICMP]
				</rule>
			</channel>
			<channel id="1016" name="SNMP">
				<rule>
					(Protocol[TCP] OR Protocol[UDP] and (SourcePort[161-162] or DestinationPort[161-162])
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3007" name="NetBIOS">
		<caption>NetBIOS</caption>
		<help>NetBIOS</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1017" name="NETBIOS">
				<rule>
					(Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139]  OR SourcePort[137-139])
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3008" name="Unitrends">
		<caption>Unitrends</caption>
		<help>Unitrends</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1018" name="Unitrends">
				<rule>
					(Protocol[TCP] or Protocol[UDP]) and (SourcePort[8006] or DestinationPort[8006])
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3009" name="Watchguard">
		<caption>Watchguard</caption>
		<help>Watchguard</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1019" name="Watchguard">
				<rule>
					(Protocol[TCP] or Protocol[UDP]) and (DestinationPort[4115] or SourcePort[4115] or DestinationPort[4117] or SourcePort[4117])
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3010" name="Compellent">
		<caption>Compellent</caption>
		<help>Compellent</help>
		<defaultvalue>1</defaultvalue>
			<channels>
				<channel id="1020" name="Compellent">
				<rule>
					(Protocol[TCP] or Protocol[UDP]) and (SourcePort[3260] or DestinationPort[3260])
				</rule>
			</channel>
		</channels>
	</group>
	<group id="3011" name="Various">
		<caption>Other Protocols</caption>
		<help>Various</help>
		<defaultvalue>1</defaultvalue>
		<channels>
			<channel id="1021" name="OtherUDP">
				<rule>
					Protocol[UDP]
				</rule>
			</channel>
			<channel id="1022" name="OtherTCP">
				<rule>
					Protocol[TCP]
				</rule>
			</channel>
		</channels>
	</group>
</groups>

netflow sflow xml

Created on Jan 10, 2018 3:07:41 PM



4 Replies

Votes:

0

Hi there,

Please enable "Log Stream Data to Disk (for Debugging)" for the "Other" channel for a short period of time (15 minutes) in the sensor settings. The logs can then be found in PRTGs data directory (by default C:\ProgramData\Paessler\PRTG Network Monitor\) in the "Logs (Sensors)" folder with the sensor ID.
The sensor ID can be found in the upper right corner of the sensor's channel overview or within the URL when you click on the sensor.

Please forward us the logs by mail via [email protected]. Please put "PAE979413" into the Subject line.

Best regards.

Created on Jan 12, 2018 11:24:10 AM by Dariusz Gorka [Paessler Support]



Votes:

0

Dariusz,

After letting it run for about 30 minutes, the log was empty. After reviewing the the sensor output, I confirmed that the "Other" channel never logs any data because the "Various" channel is pulling all of the not-otherwise-categorized data. Should I delete the "Various" custom channel and try again so that all of that is then categorized as "Other"?

Created on Jan 12, 2018 9:54:32 PM



Votes:

0

Dariusz,

I have removed the "Various" group from the custom flow rules, and now the "Compellent" section is being properly identified. Any idea why that would be? I don't need the "Various" group so long as everything goes to "Other", so at this point, I think I'm OK but any solution might help others coming by here in the future.

Created on Jan 12, 2018 10:21:27 PM



Votes:

0

I can't explain why that would have caused issues with the Compellent channel not showing anything. I highly recommend the Various channel not be used, and only the Other channel be left as the catch-all.

Created on Jan 16, 2018 1:16:36 AM by Benjamin Day [Paessler Support] (1,441) 2 1




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.