Skip to main content
Version: 6.0

Changelog

Latest Version: 6.0.1

Release History

6.0.1

Breaking Changes

If you are migrating to 6.0.x from a previous version of the ElastiFlow Unified Flow Collector, please see Breaking Changes for 6.0.0 below.

Fixes

  • Fixed a panic condition when exporterIPv4Address or exporterIPv6Address was included in the flow record.
  • Fixed a panic condition that related to the license level check of sFlow records.

6.0.0

Breaking Changes

danger

IMPORTANT! In preparation for new features and solutions which will be available in the near future, many of the configuration option names have been changed since 5.6.x and 6.0.0-rc.1. It will be necessary to modify your previous configuration for 6.0.0. Please refer to Upgrading to 6.0.0 for more details. ElastiFlow customers can contact support for assistance with this upgrade. Community users can ask for assistance in the ElastiFlow Community Slack.

  • The JSON structure for records sent to Elasticsearch and OpenSearch has been flattened. This has no effect on the function of dashboards, and features such Elasticsearch ML jobs and alerts. It is also possible to seemlessly combine the 5.x (nested) and 6.0.0 (flat) indices. This is because Elasticsearch flattens field names for indexing. However if you have been extracting the raw record JSON from Elasticsearch to send to other applications, this change may affect such processes.
  • Removed Logz.io Output - We have decided not to proceed with the technology preview of the Logz.io output, and it has been removed. We may revisit support for Logz.io in the future.
  • Non-Flow Record Types - The addition of non-flow indices (see below) may require some user-created tools or processes to be modified to access these new indices.

New Features

  • AWS VPC Flow Logs - AWS VPC Flow Logs are now supported via collection from S3. This includes support for all fields from VPC Flow Log versions 2 thru 5.
  • ElastiFlow Splunk App - The ElastiFlow Netflow Analytics for Splunk App is now available on Splunkbase. We will continue to update this app over the coming weeks and months.
  • Bi-Directional Flows - Bi-directional records, as sent by Velocloud SD-WAN and certain Cisco and other devices, are now split into two uni-directional records, enabling the full ElastiFlow feature set to be applied to both directions represented in the original record.
  • Performance Improvements - A variety of performance enhancements provide a throughput increase of up to 250% at the same CPU utilization.
  • Collector Statistics - A Prometheus endpoint provides statistics for various internal collector components.
  • Liveness & Readiness - Liveness and Readiness endpoints have been added to improve the ability to monitor the state of the collector when running in Kubernetes.
  • Gracefull Shutdown - When the collector is stopped, any buffered messages will be processed prior to the collector exiting.
  • Improved Application Enrichment - User-defined Application enrichment now supports any combination of IP addresses, CIDR blocks, IP ranges, ports and port ranges. Additionally it is now possible to enrich records with more than only app.name, including user-defined metadata. Finally, vendor-specific AppID to App attributes mappings may be added for devices which send AppIDs without option records.
  • Non-Flow Record Types - The collector will now create separate indices for non-flow record types. Currently supported are flow, telemetry (such as sFlow counter samples and Calix IPFIX telemetry records), and AS-Path hop records.
  • Generic HTTP Output - We have added an output which can be used to send records to an HTTP endpoint such as the http_endpoint input of Elastic's Filebeat, or the http input of Elastic's Logstash.

Updates

  • Added Extreme Networks IEs for userName and appGroupName.
  • Added packet parser support for TCP sequence (tcp.seq_num) and acknowledge numbers (tcp.ack_num).
  • Client/Server inference for protocols without layer-4 ports will now be based on IP order, where the lower IP address is the server. This improves the functionality of dashboards for many use-cases. The configuration option EF_ENRICH_EXPAND_CLISRV_NO_L4_PORTS can be used to disable this change.
  • The packetparser, used to decode sFlow, IFA, and other sampled headers, now provides the IPv6 Flow Label value.

Fixes

  • The data type and translation for Calix the bin-duration IE has been fixed.