icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading MetaFlows Network Security Event Viewer
SHA256 checksum (metaflows-network-security-event-viewer_12.tgz) 79c3766c1ff4da09f6efa3bc9361d6051c9a767b7598f90ae0cb3c4f5be313be SHA256 checksum (metaflows-network-security-event-viewer_11.tgz) 939661d76f1ce8b5fa772a643b115260c388e191b3b2979c5621d288498425f0 SHA256 checksum (metaflows-network-security-event-viewer_10.tgz) 99b6096d3d6c3a6144883ab59549a4139c55909dae90d39ccbd03b5e77bd9465
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

MetaFlows Network Security Event Viewer

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for youhere.
Once you deploy a MetaFlows passive sensor on your network, this app provides an unprecedented amount of security information aimed at catching Malware and other dangerous uses of your network that could destroy your operations. Receives and correlates different types of network security events generated by the MetaFlows Security System's sensors: IDS, Network Logs, Multisession Incident Reports, Suspicious Files In/Out/ URLs, Mod Security, User Discovery, New MAC Discovery, Host Discovery, Service Discovery, Application discovery, etc. Offers drill down links to fetch packet payloads from the MetaFlows sensors and perform further forensic analysis.

MetaFlows developed a splunk application to receive all sensor events on Splunk through an SSL encrypted channel called metaflows-syslog. The events are automatically categorized as follows:

Multisession Analysis
High Priority Events
IDS Events
Network Logs (3rd party logs sent to the sensors)
File Transmission Analysis
User Discovery
Service Discovery
Host Discovery
Mac Discovery
Suspicious URL Transmission Analysis
IPS Notifications
User Rankings

Events volumes are also broken down by addresses, ports and other important invariants like sensor names, domains types, applications, etc.. It is possible to click on all summary records fileds to either drilldown on Splunk or drill down on the MetaFlows' web application to obtain more detailed forensic information like packets payloads.
Splunk app Installation

-- App Installtion --
The app is available from SplunkWeb[2]. Please download and install the application using your Splunk application manager. The app receives syslog messages on tcp port 3015 encapsulated using SSL. The default installation includes a generic self-signed SSL certificate in the cert directory. This certifcate was generated using the commands:
export OPENSSL_CONF=$SPLUNK_HOME/openssl/openssl.cnf
$SPLUNK_HOME/bin/genRootCA.sh -d $SPLUNKHOME/etc/apps/SplunkforMetaFlows/certs
$SPLUNK_HOME/bin/genSignedServerCert.sh -d $SPLUNKHOME/etc/apps/SplunkforMetaFlows/certs -n splunk -p

We recommend you generate a new SSL ceritificate using your own phassphrase by repeating the commands above.
The passphrase you enter when generating the certificate should then be placed in $SPLUNK_HOME/etc/apps/SplunkforMetaFlows/default/inputs.conf under the [SSL] stanza as:
password = <yourpassword>

-- Sensor Configuration --
In order for Splunk to receive MetaFlows's sensors event you need to add the following line to your /nsm/etc/mss.sh startup script

export SYSLOG2=<splunk_host_ip_address>:3015

where <splunk_host_ip_address> is the ip address of the host where Splunk is running. After this, restart your sensor(s) with the command

/nsm/etc/mss.sh restart

Make sure that tcp port 3015 is open and the sensor can communicate with your Splunk host.

Release Notes

Version 1.2
June 27, 2017

Added documentation regarding SSL certificate.

Version 1.1
June 5, 2017

Placed Build number in correct stanza

Version 1.0
June 2, 2017

Version 1.0
Must process events originating from metaflows sensors on port 3015
Drilldown only supports SaaS accounts on nsm.metaflows.com


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.