logstash-docs-md
Netflow codec plugin v3.5.0
- Plugin version: v3.5.0
- Released on: 2017-06-23
- Changelog
For other versions, see the overview list.
To learn more about Logstash, see the Logstash Reference.
For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
| Netflow exporter | v5 | v9 | IPFIX | Remarks |
|---|---|---|---|---|
| Softflowd | y | y | y | IPFIX supported in https://github.com/djmdjm/softflowd |
| nProbe | y | y | y | |
| ipt_NETFLOW | y | y | y | |
| Cisco ASA | y | |||
| Cisco IOS 12.x | y | |||
| fprobe | y | |||
| Juniper MX80 | y | SW > 12.3R8 | ||
| OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4 |
| Mikrotik 6.35.4 | y | n | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow | |
| Ubiquiti Edgerouter X | y | With MPLS labels | ||
| Citrix Netscaler | y | Still some unknown fields, labeled netscalerUnknown<id> |
Example Logstash configuration:
input {
udp {
host => localhost
port => 2055
codec => netflow {
versions => [5, 9]
}
type => netflow
}
udp {
host => localhost
port => 4739
codec => netflow {
versions => [10]
target => ipfix
}
type => ipfix
}
tcp {
host => localhost
port => 4739
codec => netflow {
versions => [10]
target => ipfix
}
type => ipfix
}
}
| Setting | Input type | Required |
|---|---|---|
cache_save_path |
a valid filesystem path | No |
cache_ttl |
number | No |
include_flowset_id |
boolean | No |
ipfix_definitions |
a valid filesystem path | No |
netflow_definitions |
a valid filesystem path | No |
target |
string | No |
versions |
array | No |
- Value type is path
- There is no default value for this setting.
Where to save the template cache This helps speed up processing when restarting logstash (So you don’t have to await the arrival of templates) cache will save as path/netflow_templates.cache and/or path/ipfix_templates.cache
- Value type is number
- Default value is
4000
Netflow v9/v10 template cache TTL (minutes)
- Value type is boolean
- Default value is
false
Only makes sense for ipfix, v9 already includes this Setting to true will include the flowset_id in events Allows you to work with sequences, for instance with the aggregate filter
- Value type is path
- There is no default value for this setting.
Override YAML file containing IPFIX field definitions
Very similar to the Netflow version except there is a top level Private Enterprise Number (PEN) key added:
pen:
id:
- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
- :name
id:
- :skip
There is an implicit PEN 0 for the standard fields.
See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml for the base set.
- Value type is path
- There is no default value for this setting.
Override YAML file containing Netflow field definitions
Each Netflow field is defined like so:
id:
- default length in bytes
- :name
id:
- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
- :name
id:
- :skip
See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml for the base set.
- Value type is string
- Default value is
"netflow"
Specify into what field you want the Netflow data.
- Value type is array
- Default value is
[5, 9, 10]
Specify which Netflow versions you will accept.