netflow

Milestone: 1

The “netflow” codec is for decoding Netflow v5/v9 flows.

Synopsis

This is what it might look like in your config file:

# with an input plugin:
# you can also use this codec with an output.
input { 
  file {
    codec => netflow {
      cache_ttl => ... # number (optional), default: 4000
      definitions => ... # a valid filesystem path (optional)
      target => ... # string (optional), default: "netflow"
      versions => ... # array (optional), default: [5, 9]
    }
  }
}

Details

cache_ttl

Value type is number
Default value is 4000

Netflow v9 template cache TTL (minutes)

definitions

Value type is path
There is no default value for this setting.

Override YAML file containing Netflow field definitions

Each Netflow field is defined like so:

id: - default length in bytes - :name id: - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string - :name id: - :skip

See https://github.com/logstash/logstash/tree/v1.4.2/lib/logstash/codecs/netflow/netflow.yaml for the base set.

target

Value type is string
Default value is "netflow"

Specify into what field you want the Netflow data.

versions

Value type is array
Default value is [5, 9]

Specify which Netflow versions you will accept.

This is documentation from lib/logstash/codecs/netflow.rb