Powered by Zoomin Software. For more details please contactZoomin

Flowmon User Guide

Table of Contents

User Identity in Flowmon Solution

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

Traditional flow-based monitoring tools report on IP addresses and DNS names. Flowmon extends visibility in L2 (MAC addresses) and user identity levels. Getting the user identity manually is a time-consuming task of analyzing the audit logs of Active Directory or a network access control system in general. Flowmon extends primary flow data by user identity and enables you to easily analyze and report on network traffic and anomalies with respect to concrete users. The user identity monitoring feature is available as part of the Flowmon Collector without the need for any additional licenses. Using the Flowmon Configuration Center, you can configure external syslog sources in addition to parsing rules for individual log formats. Looking into third-party systems for user identities while analyzing flow data is no longer needed. Therefore, troubleshooting and investigation of security incidents is more efficient and less time-consuming. Rules are based on syslog-ng pattern parsers. For more information, refer to the official syslog-ng documentation.

This document explains how user identity awareness works in the Flowmon solution and how to integrate Flowmon with Active Directory using the syslog protocol to get user-level visibility.

User identity awareness in Flowmon extends each flow record with the items source IP user ID and destination IP user ID which enables you to look for particular traffic related to a concrete user. When investigating security incidents, you have accurate information about users hidden behind involved hosts. Additionally, top N statistics based on user identities are available, which means that you can use this attribute in online analysis in addition to long-term reporting. You can also use this attribute for filtering using the keyword uid or src uid, or dst uid to only show traffic related to a particular user. User identity of event source is part of the event details in Flowmon ADS when available.

Configuration for Active Directory

We recommend using some of the available tools for converting the event log records to syslog messages. NXLog Community Edition is used as an example, however, it is possible to use another tool for such purposes. This tool allows the forwarding of events from the local Windows installation to the target syslog server (which is the Flowmon Collector in this case).

After you deploy NXLog (or any other tool), check the network configuration and configure the destination server address (the Flowmon Collector IP address) and check the protocol and port (UDP/514). In NXLog, you can configure this by editing the nxlog.conf configuration file, as you can see in the example below.

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input SecurityEventLog>
    Module im_msvistalog
    PollInterval 10
    <QueryXML>
      <QueryList>
       <Query Id='0'>
        <Select Path='Security'>*[System/Level=0]</Select>	
       </Query>
      </QueryList>
     </QueryXML>
</Input>


<Output FlowmonSyslog>
    Module om_udp
    
    # Flowmon appliance IP address
    Host a.b.c.d
    
    Port 514
    Exec to_syslog_snare();
</Output>

<Route SecurityEventLog_to_FlowmonSyslog>
    Path SecurityEventLog => FlowmonSyslog
</Route>
TitleResults for “How to create a CRG?”Also Available inAlert