Applications
Overview
The Unified Flow Collector will cache application attribues learned from option data.
EF_FLOW_DECODER_ENRICH_APP_CACHE_SIZE
This setting specifies the maximum number of device specific application IDs which will be held in the cache.
- Default
8388608
EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE
While various flow record sources send the mapping of application IDs to applications names as option data. In cases where no application identity technology is available, applications can be statically specified by IP address and port number. The application name specified will be used to populate the app.name (for the default CODEX schema) or network.application (if using the optional ECS schema) field.
- Valid Values
true,false
- Default
false
EF_FLOW_DECODER_ENRICH_APP_USERDEF_PRIVATE
If user-defined application name are enabled (EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE is true) this option specifies whether application names will be checked for private IP addresses.
- Valid Values
true,false
- Default
true
EF_FLOW_DECODER_ENRICH_APP_USERDEF_PUBLIC
If user-defined application name are enabled (EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE is true) this option specifies whether application names will be checked for public IP addresses.
- Valid Values
true,false
- Default
true
EF_FLOW_DECODER_ENRICH_APP_USERDEF_PATH
If user-defined IP/port to application mappings are enabled (EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE is true) this setting specifies the path to this file.
If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.
An example of the format of this file is:
'192.0.2.11':
5601: 'kibana'
9200: 'elasticsearch'
9300: 'elasticsearch_transport'
'192.0.2.12':
2181: 'zookeeper'
2888: 'zookeeper_leader'
3888: 'zookeeper_election'
9092: 'kafka'
- Default
settings/apps_user_defined.yml