Skip to main content

NetFlow

Synopsis

Creates a NetFlow v5 collector that accepts flow data over UDP connections. Supports High-Volume collection with multiple workers and configurable buffer sizes.

warning

The collector only supports legacy NetFlow types, such as NetFlow v5. For NetFlow v9, use the ipfix collector type.

For details, see Appendix.

Schema

- id: <numeric>
  name: <string>
  description: <string>
  type: netflow
  tags: <string[]>
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    address: <string>
    port: <numeric>
    reuse: <boolean>
    buffer_size: <numeric>

Configuration

The following fields are used to define the device:

Device

FieldRequiredDefaultDescription
idYUnique identifier
nameYDevice name
descriptionN-Optional description
typeYMust be netflow
tagsN-Optional tags
pipelinesN-Optional pre-processor pipelines
statusNtrueEnable/disable the device

Connection

FieldRequiredDefaultDescription
addressN"0.0.0.0"Listen address
portN2055Listen port
reuseNtrueEnable socket address reuse

Performance

FieldRequiredDefaultDescription
buffer_sizeN9000Network read buffer size in bytes

Key Features

The following are unique features that Director offers.

Multiple Workers

When reuse is enabled, the collector automatically spawns multiple workers which maintain their own UDP listeners, process flows independently, and write to dedicated queue files.

note

The collector scales up to use all available CPU cores.

Flows

The collector supports fixed format NetFlow v5 records, application identification, port-based protocol mapping, flow state tracking, and statistical aggregation.

Examples

The following are commonly used configuration types.

Basic

A basic collector can be created easily:

Creating a simple NetFlow collector...

devices:
  - id: 1
    name: basic_netflow
    type: netflow
    properties:
      port: 2055

High-Volume

Performance can be enhanced for high flow volumes:

Optimizing for high message volumes...

devices:
  - id: 2
    name: performant_netflow
    type: netflow
    properties:
      address: "0.0.0.0"
      port: 2055
      reuse: true
      buffer_size: 32768

Legacy Networks

Collecting flows from older network devices is possible:

Collecting from legacy network devices...

devices:
  - id: 3
    name: legacy_netflow
    type: netflow
    properties:
      address: "0.0.0.0"
      port: 2055
      reuse: true
      buffer_size: 16384
Loading include...

Using application identification...

devices:
  - id: 4
    name: app_aware_netflow
    type: netflow
    properties:
      port: 2055
      reuse: true
      buffer_size: 16384