Recently a customer called in asking about our UDP Forwarder. At first I wasn’t sure what they were talking about but, as they explained what they were looking for, it dawned on me that they were actually referring to our Flow Replicator.
What is a Flow Replicator(TM)
A Flow Replicator is a system that receives UDP streams from hundreds or even thousands of devices, duplicates them, then replaces the destination IP address of each frame with a new one and forwards them off to the new destinations without modifying the original source IP address. This can be done for any type of UDP datagram which includes but, is not limited to syslogs, SNMP traps, NetFlow, sFlow, IPFIX and others.
Often times our customers leverage our UDP Forwarder (Flow Replicator) to duplicate and send a single syslog stream to multiple SIEM systems (E.g. Splunk) and perhaps a Cisco Prime installation. In short, the Flow Replicator allows the network or security admin to configure the routers to forward syslogs to one IP address (I.e. the Flow Replicator) which will in turn forward the datagrams off to multiple destinations.
Keeping the original source IP address in tact is important because we want the SIEM or NetFlow or IPFIX collector to believe it is receiving the UDP datagrams directly from the original router, switch, or server that is actually exporting the data. If the collector or SIEM needs to reach out to the exporter for any reason (e.g. SNMP) it will query the original source IP address and not the flow replicator.
There is a great YouTube video on the Flow Replicator which also explains the features and benefits.
What is a UDP Forwarder
A UDP Forwarder is a the generic term for our trade marked solution called the Flow Replicator(TM).
The above UDP Forwarder diagram provides an overview of how many of our customers put a system like ours into production.
UDP Fanout or UDP Forwarder
I have had customers call in looking to setup a UDP Fanout as well which is another name for a UDP Forwarder or our Flow Replicator.
Other Benefits of the Flow Replicator
- Syslog to IPFIX Gateway: This functionality is another feature supported by the Flow Replicator. Because the syslog format is unstructured and generally proprietary, correlation of events can be difficult to script between vendors. The nature of the protocol results in numerous updates, causing broken comparison logic between log formats. By converting syslogs and other machine logs to IPFIX, the data becomes structured and standardized, resulting in faster queries and software code that doesn’t quickly become out of date.
- Scaling for Capacity: When log volumes are too great for any one system, flow replicators can be employed to divvy up the load and ensure that the logging solution scales to meet the needs of the organization.
- Scales like crazy: A single Flow Replicator (UDP Forwarder) can receive UDP at wire speed. I’ve seen our system receive over 100,000 flows per second from over 500 routers, double the UDP datagrams (200,000 flows per second) and then forward them out to two destinations. The ability to scale isn’t a problem for the Flow Replicator and it can be setup for fail over as well.
Contact our team to start your evaluation of the Flow Replicator.
