NetFlow

Push

Synopsis

Creates a NetFlow v5 collector that accepts flow data over UDP connections. Supports High-Volume collection with multiple workers and configurable buffer sizes.

warning

The collector only supports legacy NetFlow types, such as NetFlow v5. For NetFlow v9, use the ipfix collector type.

Schema

- id: <numeric>
  name: <string>
  description: <string>
  type: netflow
  tags: <string[]>
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    address: <string>
    port: <numeric>
    reuse: <boolean>
    buffer_size: <numeric>
    stats_frequency: <numeric>

Configuration

The following are the minimum requirements to define the device.

Device

Field	Required	Default	Description
`id`	Y		Unique identifier
`name`	Y		Device name
`description`	N	-	Optional description
`type`	Y		Must be `netflow`
`tags`	N	-	Optional tags
`pipelines`	N	-	Optional pre-processor pipelines
`status`	N	`true`	Enable/disable the device

Network

Field	Required	Default	Description
`address`	N	`"0.0.0.0"`	Listen address
`port`	N	`2055`	Listen port
`reuse`	N	`true`	Enable socket address reuse

Performance

Field	Required	Default	Description
`buffer_size`	N	`9000`	Network read buffer size in bytes
`stats_frequency`	N	`300`	Statistics collection interval in seconds

Advanced Features

The following are unique features that Director offers.

Multiple Workers

When reuse is enabled, the collector automatically spawns multiple workers which maintain their own UDP listeners, process flows independently, and write to dedicated queue files.

note

The collector scales up to use all available CPU cores.

Flows

The collector supports fixed format NetFlow v5 records, application identification, port-based protocol mapping, flow state tracking, and statistical aggregation.

Examples

The following are commonly used configuration types.

Basic

A basic collector can be created easily:

Creating a simple NetFlow collector...

- id: 1
  name: basic_netflow
  type: netflow
  properties:
    port: 2055

High-Volume

Performance can be enhanced for high flow volumes:

Optimizing for high message volumes...

- id: 2
  name: performant_netflow
  type: netflow
  properties:
    address: "0.0.0.0"
    port: 2055
    reuse: true
    buffer_size: 32768

Legacy Networks

Collecting flows from older network devices is possible:

Collecting from legacy network devices...

- id: 3
  name: legacy_netflow
  type: netflow
  properties:
    address: "0.0.0.0"
    port: 2055
    reuse: true
    buffer_size: 16384
    stats_frequency: 60

Application Protocols

The collector supports application-based identification, TCP port mapping, and UDP port mapping. The definition files for these respectively are placed in three locations under <vm_root>:

/user/definitions/app-definitions-{device-id}.csv (device-specific)
/user/definitions/app-definitions.csv (user-defined)
/package/definitions/app-definitions.csv (system defaults)

warning

Definition files must be in CSV format with exactly two columns per row.

The contents of these files are:

app-definitions.csv:

SSH,Secure Shell
RDP,Remote Desktop
HTTP,Web Browsing
HTTPS,Secure Web

tcp-definitions.csv:

22,SSH
3389,RDP
80,HTTP
443,HTTPS

udp-definitions.csv:

53,DNS
67,DHCP
123,NTP
161,SNMP

note

The collector will fall back on the system defaults if the custom definition files are not found.

Using application identification...

- id: 4
  name: app_aware_netflow
  type: netflow
  properties:
    port: 2055
    reuse: true
    buffer_size: 16384

Synopsis​

Schema​

Configuration​

Device​

Network​

Performance​

Advanced Features​

Multiple Workers​

Flows​

Examples​

Basic​

High-Volume​

Legacy Networks​

Application Protocols​