netflow

edit
  • Version: 3.1.2
  • Released on: 2016-07-14
  • Changelog
  • Compatible: 5.1.1.1, 5.0.0, 2.4.1, 2.4.0, 2.3.4

The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.

Supported Netflow/IPFIX exporters

edit

The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:

Netflow exporter v5 v9 IPFIX Remarks

Softflowd

y

y

y

IPFIX supported in https://github.com/djmdjm/softflowd

nProbe

y

y

y

ipt_NETFLOW

y

y

y

Cisco ASA

y

Cisco IOS 12.x

y

fprobe

y

Usage

edit

Example Logstash configuration:

input {
  udp {
    host => localhost
    port => 2055
    codec => netflow {
      versions => [5, 9]
    }
    type => netflow
  }
  udp {
    host => localhost
    port => 4739
    codec => netflow {
      versions => [10]
      target => ipfix
    }
    type => ipfix
  }
  tcp {
    host => localhost
    port => 4739
    codec => netflow {
      versions => [10]
      target => ipfix
    }
    type => ipfix
  }
}

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

netflow {
  }

Available configuration options:

Setting Input type Required Default value

cache_ttl

number

No

4000

enable_metric

boolean

No

true

id

string

No

ipfix_definitions

a valid filesystem path

No

netflow_definitions

a valid filesystem path

No

target

string

No

"netflow"

versions

array

No

[5, 9, 10]

Details

edit

 

cache_ttl

edit
  • Value type is number
  • Default value is 4000

Netflow v9 template cache TTL (minutes)

enable_metric

edit
  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin instance, this ID is used for tracking information for a specific configuration of the plugin.

output {
 stdout {
   id => "ABC"
 }
}

If you don’t explicitely set this variable Logstash will generate a unique name.

ipfix_definitions

edit
  • Value type is path
  • There is no default value for this setting.

Override YAML file containing IPFIX field definitions

Very similar to the Netflow version except there is a top level Private Enterprise Number (PEN) key added:

pen:
 id:
 - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
 - :name
 id:
 - :skip

There is an implicit PEN 0 for the standard fields.

See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml for the base set.

netflow_definitions

edit
  • Value type is path
  • There is no default value for this setting.

Override YAML file containing Netflow field definitions

Each Netflow field is defined like so:

---
id:
- default length in bytes
- :name
id:
- :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
- :name
id:
- :skip

See https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml for the base set.

target

edit
  • Value type is string
  • Default value is "netflow"

Specify into what field you want the Netflow data.

versions

edit
  • Value type is array
  • Default value is [5, 9, 10]

Specify which Netflow versions you will accept.