Cisco ASA netflow export template type

[filobeddo]

I have netflow exporting from Cisco ASA's (5550's) and have a question.
My current configuration has the following:

Code: Select all

policy-map my_policy
class my class
flow-export event-type all destination x.x.x.x

With this configuration I see that in Scrutinizer when I do a report I have three options:

All Templates
ASA NSEL v4 Flow Creation (930)
ASA NSEL v4 Teardown (939)
ASA NSEL Extended v4 flow teardown (941)

I typically use the v4 Teardown profile when viewing reports; I seem to remember I read it somewhere as the recommend option to use.

I've now figured out Scrutinizers MySQL database layout (thanks to a response to my last post!) and I can see that having these three templates recorded uses quite allot more storage space than just one.

So my question is, if I where to change my configuration to only export the flow-teardown template as follows:

Code: Select all

policy-map my_policy
class my class
flow-export event-type flow-teardown destination x.x.x.x

what would I be loosing as a price for the saving in storage this will gain ?

Many thanks.

[BenjaminM]

Hi filobeddo,

The data you would save should be negligible if you disable the other templates. We do some cross referencing when reporting on some of these templates.

What particular information do you report on?

Thanks,
Ben

[filobeddo]

I don't have specific scheduled reports running on this data.
I uses it generally for keeping a bead on what goes where when and how much, and also for disproving the usual nonsense you get to hear being in the networks business.

Looking at my data folder for one of my ASA's I see the following.

Exporter data folder = 222gigs
930 template = 72gigs
939 template = 34.5gigs
941 template = 97.7gigs
104 (totals) = 16.6gigs

I see that its not direct duplication and that the 941 template seems to contain the most information.
I don't have a storage issue, I was just wondering if I needed all this data saved.

[BenjaminM]

Hi filobeddo,

Can you give me a little more information than that? This may help me better answer this question.

How are you getting the data for each template?

Thanks,
Ben

[filobeddo]

Hi, sorry, forgot to reply to my own thread!

" How are you getting the data for each template? "

If you mean how am I getting the size data I am just file filtering on the SQL data folder for the template identifiers (930, 393, 341) then doing a select all and properties to determine the size on disk.

If you mean how am I getting these data into Scrutinizer then just via the policy/export configuration on our ASA(s) with the ALL event type and no ACL filters applied.

Please don't put too much effort into this one as I was really just wondering if the data was three duplicates of the same and thus a waste of storage. Having looked at the sizes in my second post and your remark about cross-referencing I can see that these are different sets.

Many thanks.

[BenjaminM]

Hi filobeddo.

Ah, I see. If you have any further questions do not hesitate to ask them on the forums.

Thnks,
Ben