Netflow codec plugin v3.4.1
- Plugin version: v3.4.1
- Released on: 2017-06-23
- Changelog
For other versions, see theoverview list.
To learn more about Logstash, see theLogstash Reference.
For questions about the plugin, open a topic in theDiscuss forums. For bugs or feature requests, open an issue inGithub. For the list of Elastic supported plugins, please consult theElastic Support Matrix.
The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
| Netflow exporter | v5 | v9 | IPFIX | Remarks |
|---|---|---|---|---|
| Softflowd | y | y | y | IPFIX supported inhttps://github.com/djmdjm/softflowd |
| nProbe | y | y | y | |
| ipt_NETFLOW | y | y | y | |
| Cisco ASA | y | |||
| Cisco IOS 12.x | y | |||
| fprobe | y | |||
| Juniper MX80 | y | SW > 12.3R8 | ||
| OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4 |
| Mikrotik 6.35.4 | y | n | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow | |
| Ubiquiti Edgerouter X | y | With MPLS labels | ||
| Citrix Netscaler | y | Still some unknown fields, labeled netscalerUnknown<id> |
Example Logstash configuration:
input { udp { host => localhost port => 2055 codec => netflow { versions => [5, 9] } type => netflow } udp { host => localhost port => 4739 codec => netflow { versions => [10] target => ipfix } type => ipfix } tcp { host => localhost port => 4739 codec => netflow { versions => [10] target => ipfix } type => ipfix }}| Setting | Input type | Required |
|---|---|---|
cache_save_path | a valid filesystem path | No |
cache_ttl | number | No |
include_flowset_id | boolean | No |
ipfix_definitions | a valid filesystem path | No |
netflow_definitions | a valid filesystem path | No |
target | string | No |
versions | array | No |
- Value type ispath
- There is no default value for this setting.
Where to save the template cache This helps speed up processing when restarting logstash (So you don’t have to await the arrival of templates) cache will save as path/netflow_templates.cache and/or path/ipfix_templates.cache
- Value type isnumber
- Default value is
4000
Netflow v9/v10 template cache TTL (minutes)
- Value type isboolean
- Default value is
false
Only makes sense for ipfix, v9 already includes this Setting to true will include the flowset_id in events Allows you to work with sequences, for instance with the aggregate filter
- Value type ispath
- There is no default value for this setting.
Override YAML file containing IPFIX field definitions
Very similar to the Netflow version except there is a top level Private Enterprise Number (PEN) key added:
pen:id:- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string- :nameid:- :skipThere is an implicit PEN 0 for the standard fields.
Seehttps://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml for the base set.
- Value type ispath
- There is no default value for this setting.
Override YAML file containing Netflow field definitions
Each Netflow field is defined like so:
id:- default length in bytes- :nameid:- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string- :nameid:- :skipSeehttps://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml for the base set.
- Value type isstring
- Default value is
"netflow"
Specify into what field you want the Netflow data.
- Value type isarray
- Default value is
[5, 9, 10]
Specify which Netflow versions you will accept.