Netflow codec plugin v4.0.2
- Plugin version: v4.0.2
- Released on: 2018-06-24
- Changelog
For other versions, see theoverview list.
To learn more about Logstash, see theLogstash Reference.
For questions about the plugin, open a topic in theDiscuss forums. For bugs or feature requests, open an issue inGithub. For the list of Elastic supported plugins, please consult theElastic Support Matrix.
The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
This codec supports:
- Netflow v5
- Netflow v9
- IPFIX
The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
| Netflow exporter | v5 | v9 | IPFIX | Remarks |
|---|---|---|---|---|
| Barracuda Firewall | y | |||
| Cisco ASA | y | |||
| Cisco ASR 1k | n | Fails because of duplicate fields | ||
| Cisco ASR 9k | y | |||
| Cisco IOS 12.x | y | |||
| Cisco ISR w/ HSL | n | Fails because of duplicate fields, see:https://github.com/logstash-plugins/logstash-codec-netflow/issues/93 | ||
| Cisco WLC | y | |||
| Citrix Netscaler | y | Still some unknown fields, labeled netscalerUnknown<id> | ||
| fprobe | y | |||
| Fortigate FortiOS | y | |||
| Huawei Netstream | y | |||
| ipt_NETFLOW | y | y | y | |
| Juniper MX80 | y | SW > 12.3R8 | ||
| Mikrotik | y | y | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow | |
| nProbe | y | y | y | L7 DPI fields now also supported |
| Nokia BRAS | y | |||
| OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4 |
| Sandvine Procera PacketLogic | y | v15.1 | ||
| Softflowd | y | y | y | IPFIX supported inhttps://github.com/djmdjm/softflowd |
| Streamcore Streamgroomer | y | |||
| Palo Alto PAN-OS | y | |||
| Ubiquiti Edgerouter X | y | With MPLS labels | ||
| VMware VDS | y | Still some unknown fields | ||
| YAF | y | With silk and applabel, but no DPI plugin support | ||
| vIPtela | y |
Example Logstash configuration that will listen on 2055/udp for Netflow v5,v9 and IPFIX:
input { udp { port => 2055 codec => netflow }}For high-performance production environments the configuration below will decode up to 15000 flows/sec from a Cisco ASR 9000 router on a dedicated 16 CPU instance. If your total flowrate exceeds 15000 flows/sec, you should use multiple Logstash instances.
Note that for richer flows from a Cisco ASA firewall this number will be at least 3x lower.
input { udp { port => 2055 codec => netflow receive_buffer_bytes => 16777216 workers => 16 }To mitigate dropped packets, make sure to increase the Linux kernel receive buffer limit:
# sysctl -w net.core.rmem_max=$((1024*1024*16))| Setting | Input type | Required |
|---|---|---|
cache_save_path | a valid filesystem path | No |
cache_ttl | number | No |
include_flowset_id | boolean | No |
ipfix_definitions | a valid filesystem path | No |
netflow_definitions | a valid filesystem path | No |
target | string | No |
versions | array | No |
- Value type ispath
- There is no default value for this setting.
Enables the template cache and saves it in the specified directory. This minimizes data loss after Logstash restarts because the codec doesn’t have to wait for the arrival of templates, but instead reload already received templates received during previous runs.
Template caches are saved as:
- path/netflow_templates.cache for Netflow v9 templates.
- path/ipfix_templates.cache for IPFIX templates.
- Value type isnumber
- Default value is
4000
Netflow v9/v10 template cache TTL (seconds)
- Value type isboolean
- Default value is
false
Only makes sense for ipfix, v9 already includes this Setting to true will include the flowset_id in events Allows you to work with sequences, for instance with the aggregate filter
- Value type ispath
- There is no default value for this setting.
Override YAML file containing IPFIX field definitions
Very similar to the Netflow version except there is a top level Private Enterprise Number (PEN) key added:
pen:id:- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string- :nameid:- :skipThere is an implicit PEN 0 for the standard fields.
Seehttps://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml for the base set.
- Value type ispath
- There is no default value for this setting.
Override YAML file containing Netflow field definitions
Each Netflow field is defined like so:
id:- default length in bytes- :nameid:- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string- :nameid:- :skipSeehttps://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml for the base set.
- Value type isstring
- Default value is
"netflow"
Specify into what field you want the Netflow data.
- Value type isarray
- Default value is
[5, 9, 10]
Specify which Netflow versions you will accept.