netflow
editnetflow
edit- Version: 3.3.0
- Released on: February 12, 2017
- Changelog
Getting Help
editFor questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Description
editThe "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
Supported Netflow/IPFIX exporters
editThe following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
| Netflow exporter | v5 | v9 | IPFIX | Remarks |
|---|---|---|---|---|
Softflowd |
y |
y |
y |
IPFIX supported in https://github.com/djmdjm/softflowd |
nProbe |
y |
y |
y |
|
ipt_NETFLOW |
y |
y |
y |
|
Cisco ASA |
y |
|||
Cisco IOS 12.x |
y |
|||
fprobe |
y |
|||
Juniper MX80 |
y |
SW > 12.3R8 |
||
OpenBSD pflow |
y |
n |
y |
|
Mikrotik 6.35.4 |
y |
n |
||
Ubiquiti Edgerouter X |
y |
With MPLS labels |
||
Citrix Netscaler |
y |
Still some unknown fields, labeled netscalerUnknown<id> |
Usage
editExample Logstash configuration:
input {
udp {
host => localhost
port => 2055
codec => netflow {
versions => [5, 9]
}
type => netflow
}
udp {
host => localhost
port => 4739
codec => netflow {
versions => [10]
target => ipfix
}
type => ipfix
}
tcp {
host => localhost
port => 4739
codec => netflow {
versions => [10]
target => ipfix
}
type => ipfix
}
}
Synopsis
editThis plugin supports the following configuration options:
Required configuration options:
netflow {
}
Available configuration options:
| Setting | Input type | Required |
|---|---|---|
a valid filesystem path |
No |
|
No |
||
No |
||
No |
||
No |
||
a valid filesystem path |
No |
|
a valid filesystem path |
No |
|
No |
||
No |
Details
edit
cache_save_path
edit- Value type is path
- There is no default value for this setting.
Where to save the template cache This helps speed up processing when restarting logstash (So you don’t have to await the arrival of templates) cache will save as path/netflow_templates.cache and/or path/ipfix_templates.cache
cache_ttl
edit- Value type is number
-
Default value is
4000
Netflow v9/v10 template cache TTL (minutes)
enable_metric
edit- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
id
edit- Value type is string
- There is no default value for this setting.
Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type, for example, if you have 2 grok filters.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
output {
stdout {
id => "my_plugin_id"
}
}
include_flowset_id
edit- Value type is boolean
-
Default value is
false
Only makes sense for ipfix, v9 already includes this Setting to true will include the flowset_id in events Allows you to work with sequences, for instance with the aggregate filter
ipfix_definitions
edit- Value type is path
- There is no default value for this setting.
Override YAML file containing IPFIX field definitions
Very similar to the Netflow version except there is a top level Private Enterprise Number (PEN) key added:
pen: id: - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string - :name id: - :skip
There is an implicit PEN 0 for the standard fields.
See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml for the base set.
netflow_definitions
edit- Value type is path
- There is no default value for this setting.
Override YAML file containing Netflow field definitions
Each Netflow field is defined like so:
id: - default length in bytes - :name id: - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string - :name id: - :skip
See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml for the base set.