Skip to main content
Version: 6.1

Changelog

Latest Version: 6.1.3

Release History

6.1.3

Updates

  • Added the EF_PROCESSOR_DECODE_MAX_RECORDS_PER_PACKET option. Corrupt packets can cause issues with the decoding of records. One way this is handled is by limiting the number of records that will be decoded from a packet. The default value is 64. When the network between the device and collector has an MTU larger than 1500, the default value may be exceeded by normal packets. This new configuration option allows the threshold to be increased when necessary.

Fixes

  • App enrichment: Fixed an issue which caused the app enrichment YAML files to be continually reloaded. This could cause significantly increased CPU load.

6.1.2

Updates

  • SNMP Input: Added support for syntax values of EnumBitmap and EnumIntegerKeepID and EnumObjectIdentifierKeepOID.
  • SNMP Input: Added support for index values of type MacAddress.
  • SNMP Input: Updated SNMP object, object group and device group definitions.

Fixes

  • Calix IPFIX: Fixed a regression introduced in 6.0.0 which caused calix.aid.type to no longer be populated.
  • Kafka Output: Fixed an issue where the default output worker pool size was not being properly set. This prevented the output from connecting to Kafka unless it was specifically configured.
  • NetQuest IPFIX: Corrected swapped src/dst values for BGP IEs.

6.1.1

Fixes

note

If you are using 6.0.0 to collect Netflow v9 records it is HIGHLY RECOMMENDED that you upgrade IMMEDIATELY to 6.1.1 to fix the issue described below.

  • Netflow v9: Fixed a regression introduced in 6.0.0 which could cause Netflow v9 flowsets to be decoded incorrectly.

Updates

  • SNMP Input: Added support for syntax values of CounterBasedGauge64 and ZeroBasedCounter64 from HCNUM-TC.

6.1.0

New Features

  • TECHNOLOGY PREVIEW: We have added a new input for collecting metrics using SNMP. For more details see the documentation HERE. Please note that we will be adding device support over time. The initial out-of-the-box definitions can be found in a public GitHub repository at https://github.com/elastiflow/snmp, and are also included in the provided packages.

6.0.1

Breaking Changes

If you are migrating to 6.0.x from a previous version of the ElastiFlow Unified Collector, please see Breaking Changes for 6.0.0 below.

Fixes

  • Fixed a panic condition when exporterIPv4Address or exporterIPv6Address was included in the flow record.
  • Fixed a panic condition that related to the license level check of sFlow records.

6.0.0

Breaking Changes

danger

IMPORTANT! In preparation for new features and solutions which will be available in the near future, many of the configuration option names have been changed since 5.6.x and 6.0.0-rc.1. It will be necessary to modify your previous configuration for 6.0.0. Please refer to Upgrading to 6.0.0 for more details. ElastiFlow customers can contact support for assistance with this upgrade. Community users can ask for assistance in the ElastiFlow Community Slack.

  • The JSON structure for records sent to Elasticsearch and OpenSearch has been flattened. This has no effect on the function of dashboards, and features such Elasticsearch ML jobs and alerts. It is also possible to seemlessly combine the 5.x (nested) and 6.0.0 (flat) indices. This is because Elasticsearch flattens field names for indexing. However if you have been extracting the raw record JSON from Elasticsearch to send to other applications, this change may affect such processes.
  • Removed Logz.io Output - We have decided not to proceed with the technology preview of the Logz.io output, and it has been removed. We may revisit support for Logz.io in the future.
  • Non-Flow Record Types - The addition of non-flow indices (see below) may require some user-created tools or processes to be modified to access these new indices.

New Features

  • AWS VPC Flow Logs - AWS VPC Flow Logs are now supported via collection from S3. This includes support for all fields from VPC Flow Log versions 2 thru 5.
  • ElastiFlow Splunk App - The ElastiFlow Netflow Analytics for Splunk App is now available on Splunkbase. We will continue to update this app over the coming weeks and months.
  • Bi-Directional Flows - Bi-directional records, as sent by Velocloud SD-WAN and certain Cisco and other devices, are now split into two uni-directional records, enabling the full ElastiFlow feature set to be applied to both directions represented in the original record.
  • Performance Improvements - A variety of performance enhancements provide a throughput increase of up to 250% at the same CPU utilization.
  • Collector Statistics - A Prometheus endpoint provides statistics for various internal collector components.
  • Liveness & Readiness - Liveness and Readiness endpoints have been added to improve the ability to monitor the state of the collector when running in Kubernetes.
  • Gracefull Shutdown - When the collector is stopped, any buffered messages will be processed prior to the collector exiting.
  • Improved Application Enrichment - User-defined Application enrichment now supports any combination of IP addresses, CIDR blocks, IP ranges, ports and port ranges. Additionally it is now possible to enrich records with more than only app.name, including user-defined metadata. Finally, vendor-specific AppID to App attributes mappings may be added for devices which send AppIDs without option records.
  • Non-Flow Record Types - The collector will now create separate indices for non-flow record types. Currently supported are flow, telemetry (such as sFlow counter samples and Calix IPFIX telemetry records), and AS-Path hop records.
  • Generic HTTP Output - We have added an output which can be used to send records to an HTTP endpoint such as the http_endpoint input of Elastic's Filebeat, or the http input of Elastic's Logstash.

Updates

  • Added Extreme Networks IEs for userName and appGroupName.
  • Added packet parser support for TCP sequence (tcp.seq_num) and acknowledge numbers (tcp.ack_num).
  • Client/Server inference for protocols without layer-4 ports will now be based on IP order, where the lower IP address is the server. This improves the functionality of dashboards for many use-cases. The configuration option EF_ENRICH_EXPAND_CLISRV_NO_L4_PORTS can be used to disable this change.
  • The packetparser, used to decode sFlow, IFA, and other sampled headers, now provides the IPv6 Flow Label value.

Fixes

  • The data type and translation for Calix the bin-duration IE has been fixed.