Netflow codec pluginedit

  • Plugin version: v3.5.2
  • Released on: 2017-08-15
  • Changelog

Installationedit

For plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-codec-netflow. See Working with plugins for more details.

Getting Helpedit

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Descriptionedit

The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.

Supported Netflow/IPFIX exportersedit

This codec supports:

  • Netflow v5
  • Netflow v9
  • IPFIX

The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:

Netflow exporter v5 v9 IPFIX Remarks

Barracuda Firewall

y

Cisco ASA

y

Cisco ASR

y

Cisco IOS 12.x

y

Cisco WLC

y

Citrix Netscaler

y

Still some unknown fields, labeled netscalerUnknown<id>

fprobe

y

Fortigate FortiOS

y

ipt_NETFLOW

y

y

y

Juniper MX80

y

SW > 12.3R8

Mikrotik

y

y

http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow

nProbe

y

y

y

OpenBSD pflow

y

n

y

http://man.openbsd.org/OpenBSD-current/man4/pflow.4

Softflowd

y

y

y

IPFIX supported in https://github.com/djmdjm/softflowd

Streamcore Streamgroomer

y

Ubiquiti Edgerouter X

y

With MPLS labels

VMware VDS

y

Still some unknown fields

Usageedit

Example Logstash configuration that will listen on 2055/udp for Netflow v5,v9 and IPFIX:

input {
  udp {
    port  => 2055
    codec => netflow
  }
}

For high-performance production environments the configuration below will decode up to 6000 flows/sec on an 8 CPU instance. If your total flowrate exceeds 6000 flows/sec, you should use multiple Logstash instances.

input {
  udp {
    port                 => 2055
    receive_buffer_bytes => 16777216
    codec                => netflow
    workers              => 6
  }

Make sure to increase the Linux kernel receive buffer limit:

# sysctl -w net.core.rmem_max=$((1024*1024*16))

Netflow Codec Configuration Optionsedit

Setting Input typeRequired

cache_save_path

a valid filesystem path

No

cache_ttl

number

No

include_flowset_id

boolean

No

ipfix_definitions

a valid filesystem path

No

netflow_definitions

a valid filesystem path

No

target

string

No

versions

array

No

 

cache_save_pathedit

  • Value type is path
  • There is no default value for this setting.

Enables the template cache and saves it in the specified directory. This minimizes data loss after Logstash restarts because the codec doesn’t have to wait for the arrival of templates, but instead reload already received templates received during previous runs.

Template caches are saved as:

  • path/netflow_templates.cache for Netflow v9 templates.
  • path/ipfix_templates.cache for IPFIX templates.

cache_ttledit

  • Value type is number
  • Default value is 4000

Netflow v9/v10 template cache TTL (seconds)

include_flowset_idedit

  • Value type is boolean
  • Default value is false

Only makes sense for ipfix, v9 already includes this Setting to true will include the flowset_id in events Allows you to work with sequences, for instance with the aggregate filter

ipfix_definitionsedit

  • Value type is path
  • There is no default value for this setting.

Override YAML file containing IPFIX field definitions

Very similar to the Netflow version except there is a top level Private Enterprise Number (PEN) key added:

pen:
id:
- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
- :name
id:
- :skip

There is an implicit PEN 0 for the standard fields.

See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml for the base set.

netflow_definitionsedit

  • Value type is path
  • There is no default value for this setting.

Override YAML file containing Netflow field definitions

Each Netflow field is defined like so:

id:
- default length in bytes
- :name
id:
- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
- :name
id:
- :skip

See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml for the base set.

targetedit

  • Value type is string
  • Default value is "netflow"

Specify into what field you want the Netflow data.

versionsedit

  • Value type is array
  • Default value is [5, 9, 10]

Specify which Netflow versions you will accept.