Docker
A Docker container for the Unified Flow Collector is available on Docker Hub. docker-compose is a good way to run the container. It allows for the various environment variables, used to configure the collector, to be easily managed in one place without having to enter them on the command line.
docker-compose.yml
The following docker-compose.yml
file provides an example with common settings that will likely need to be configured to process flow records and send them to Elasticsearch.
version: '3'
services:
# ElastiFlow Unified Flow Collector
flow-collector:
image: elastiflow/flow-collector:6.3.7
container_name: flow-collector
restart: 'unless-stopped'
network_mode: 'host'
volumes:
- /etc/elastiflow:/etc/elastiflow
environment:
EF_LICENSE_ACCEPTED: 'false'
#EF_ACCOUNT_ID: ''
#EF_FLOW_LICENSE_KEY: ''
#EF_FLOW_LICENSED_UNITS:
#EF_INSTANCE_NAME: default
#EF_API_PORT: 8080
#EF_API_TLS_ENABLE: ''
#EF_API_TLS_CERT_FILEPATH: ''
#EF_API_TLS_KEY_FILEPATH: ''
#EF_API_BASIC_AUTH_ENABLE: 'false'
#EF_API_BASIC_AUTH_USERNAME: ''
#EF_API_BASIC_AUTH_PASSWORD: ''
#EF_LOGGER_LEVEL: 'info'
#EF_LOGGER_ENCODING: 'json'
#EF_LOGGER_FILE_LOG_ENABLE: 'false'
#EF_LOGGER_FILE_LOG_FILENAME: '/var/log/elastiflow/flowcoll/flowcoll.log'
#EF_LOGGER_FILE_LOG_MAX_SIZE: 100
#EF_LOGGER_FILE_LOG_MAX_AGE: ''
#EF_LOGGER_FILE_LOG_MAX_BACKUPS: 4
#EF_LOGGER_FILE_LOG_COMPRESS: 'false'
EF_FLOW_SERVER_UDP_IP: '0.0.0.0'
EF_FLOW_SERVER_UDP_PORT: 9995
#EF_FLOW_SERVER_UDP_READ_BUFFER_MAX_SIZE: 134217728
#EF_FLOW_PACKET_STREAM_MAX_SIZE:
EF_AWS_VPC_FLOW_LOG_ENABLE: 'false'
#EF_AWS_VPC_FLOW_LOG_S3_BUCKET: ''
#EF_AWS_VPC_FLOW_LOG_PREFIX: 'AWSLogs'
#AWS_REGION: ''
#AWS_ACCESS_KEY_ID: ''
#AWS_SECRET_ACCESS_KEY: ''
#EF_AWS_VPC_FLOW_LOG_TLS_ENABLE: 'false'
#EF_AWS_VPC_FLOW_LOG_TLS_SKIP_VERIFICATION: 'false'
#EF_AWS_VPC_FLOW_LOG_TLS_CA_CERT_FILEPATH: ''
#EF_AWS_VPC_FLOW_LOG_TLS_MIN_VERSION: '1.2'
#EF_INPUT_FLOW_BENCHMARK_ENABLE: 'false'
#EF_INPUT_FLOW_BENCHMARK_PACKET_FILE_PATH: '/etc/elastiflow/benchmark/flow/packets.txt'
#EF_PROCESSOR_POOL_SIZE:
#EF_PROCESSOR_DECODE_IPFIX_ENABLE: 'true'
#EF_PROCESSOR_DECODE_NETFLOW1_ENABLE: 'true'
#EF_PROCESSOR_DECODE_NETFLOW5_ENABLE: 'true'
#EF_PROCESSOR_DECODE_NETFLOW6_ENABLE: 'true'
#EF_PROCESSOR_DECODE_NETFLOW7_ENABLE: 'true'
#EF_PROCESSOR_DECODE_NETFLOW9_ENABLE: 'true'
#EF_PROCESSOR_DECODE_SFLOW5_ENABLE: 'true'
#EF_PROCESSOR_DECODE_SFLOW_FLOWS_ENABLE: 'true'
#EF_PROCESSOR_DECODE_SFLOW_FLOWS_KEEP_SAMPLES: 'false'
#EF_PROCESSOR_DECODE_SFLOW_COUNTERS_ENABLE: 'true'
#EF_PROCESSOR_DECODE_MAX_RECORDS_PER_PACKET: 64
#EF_PROCESSOR_TRANSLATE_KEEP_IDS: 'default'
EF_PROCESSOR_ENRICH_APP_ID_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_APP_ID_PATH: '/etc/elastiflow/app/appid.yml'
#EF_PROCESSOR_ENRICH_APP_ID_TTL: 7200
EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_APP_IPPORT_PATH: '/etc/elastiflow/app/ipport.yml'
#EF_PROCESSOR_ENRICH_APP_IPPORT_TTL: 7200
#EF_PROCESSOR_ENRICH_APP_IPPORT_PRIVATE: 'true'
#EF_PROCESSOR_ENRICH_APP_IPPORT_PUBLIC: 'false'
#EF_PROCESSOR_ENRICH_APP_REFRESH_RATE: 15
#EF_PROCESSOR_ENRICH_IPADDR_TTL: 7200
EF_PROCESSOR_ENRICH_IPADDR_METADATA_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_IPADDR_METADATA_USERDEF_PATH: '/etc/elastiflow/metadata/ipaddrs.yml'
#EF_PROCESSOR_ENRICH_IPADDR_METADATA_REFRESH_RATE: 15
EF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE: 'false'
EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_IP: ''
EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_TIMEOUT: 3000
#EF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PRIVATE: 'true'
#EF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PUBLIC: 'true'
#EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH: '/etc/elastiflow/hostname/user_defined.yml'
#EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_REFRESH_RATE: 15
#EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_PATH: '/etc/elastiflow/hostname/incl_excl.yml'
#EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_REFRESH_RATE: 15
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_PATH: '/etc/elastiflow/maxmind/GeoLite2-ASN.mmdb'
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_PATH: '/etc/elastiflow/maxmind/GeoLite2-City.mmdb'
#EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_VALUES: 'city,country,country_code,location,timezone'
#EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_LANG: 'en'
#EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_PATH: '/etc/elastiflow/maxmind/incl_excl.yml'
#EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE: 15
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENDPOINT: 'https://api.passivetotal.org/v2/netflow/blocklist/download'
#EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_REFRESH_INTERVAL: 1440
#EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATH: '/etc/elastiflow/riskiq/incl_excl.yml'
#EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE: 15
#EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_USER: ''
#EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_KEY: ''
#EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUT: 180
#EF_PROCESSOR_ENRICH_ASN_PREF: 'lookup'
#EF_PROCESSOR_ENRICH_NETIF_TTL: 7200
EF_PROCESSOR_ENRICH_NETIF_METADATA_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_NETIF_METADATA_USERDEF_PATH: '/etc/elastiflow/metadata/ipaddrs.yml'
#EF_PROCESSOR_ENRICH_NETIF_METADATA_REFRESH_RATE: 15
EF_PROCESSOR_ENRICH_NETIF_FLOW_OPTIONS_ENABLE: 'true'
EF_PROCESSOR_ENRICH_NETIF_SNMP_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_NETIF_SNMP_PORT: 161
#EF_PROCESSOR_ENRICH_NETIF_SNMP_VERSION: 2
EF_PROCESSOR_ENRICH_NETIF_SNMP_COMMUNITIES: 'public'
#EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_USERNAME: ''
#EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_AUTHENTICATION_PROTOCOL: 'noauth'
#EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_AUTHENTICATION_PASSPHRASE: ''
#EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_PRIVACY_PROTOCOL: 'nopriv'
#EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_PRIVACY_PASSPHRASE: ''
#EF_PROCESSOR_ENRICH_NETIF_SNMP_TIMEOUT: 2
#EF_PROCESSOR_ENRICH_NETIF_SNMP_RETRIES: 1
#EF_PROCESSOR_ENRICH_TOTALS_IF_NO_DELTAS: 'false'
#EF_PROCESSOR_ENRICH_SAMPLERATE_CACHE_SIZE: 32768
#EF_PROCESSOR_ENRICH_SAMPLERATE_USERDEF_ENABLE: 'false'
#EF_PROCESSOR_ENRICH_SAMPLERATE_USERDEF_PATH: '/etc/elastiflow/settings/sample_rate.yml'
#EF_PROCESSOR_ENRICH_SAMPLERATE_USERDEF_OVERRIDE: 'false'
#EF_PROCESSOR_ENRICH_COMMUNITYID_ENABLE: 'true'
#EF_PROCESSOR_ENRICH_COMMUNITYID_SEED: 0
#EF_PROCESSOR_ENRICH_CONVERSATIONID_ENABLE: 'true'
#EF_PROCESSOR_ENRICH_CONVERSATIONID_SEED: 0
#EF_PROCESSOR_ENRICH_JOIN_ASN: 'true'
#EF_PROCESSOR_ENRICH_JOIN_GEOIP: 'true'
#EF_PROCESSOR_ENRICH_JOIN_SEC: 'true'
#EF_PROCESSOR_ENRICH_JOIN_NETATTR: 'true'
#EF_PROCESSOR_ENRICH_JOIN_SUBNETATTR: 'true'
#EF_PROCESSOR_DURATION_PRECISION: 'ms'
#EF_PROCESSOR_TIMESTAMP_PRECISION: 'ms'
#EF_PROCESSOR_PERCENT_NORM: 100
#EF_PROCESSOR_EXPAND_CLISRV: 'true'
#EF_PROCESSOR_EXPAND_CLISRV_NO_L4_PORTS: 'true'
#EF_PROCESSOR_KEEP_CPU_TICKS: 'false'
#EF_PROCESSOR_DROP_FIELDS: ''
#EF_PROCESSOR_IFA_ENABLE: 'false'
#EF_PROCESSOR_IFA_WORKER_SIZE: 0
# stdout
#EF_OUTPUT_STDOUT_ENABLE: 'false'
#EF_OUTPUT_STDOUT_FORMAT: 'json_pretty'
# monitor
#EF_OUTPUT_MONITOR_ENABLE: 'false'
#EF_OUTPUT_MONITOR_INTERVAL: 300
# Elasticsearch
EF_OUTPUT_ELASTICSEARCH_ENABLE: 'false'
EF_OUTPUT_ELASTICSEARCH_ECS_ENABLE: 'false'
#EF_OUTPUT_ELASTICSEARCH_BATCH_DEADLINE: 2000
#EF_OUTPUT_ELASTICSEARCH_BATCH_MAX_BYTES: 8388608
#EF_OUTPUT_ELASTICSEARCH_TIMESTAMP_SOURCE: 'collect'
#EF_OUTPUT_ELASTICSEARCH_INDEX_PERIOD: 'rollover'
#EF_OUTPUT_ELASTICSEARCH_TSDS_ENABLE: 'false'
#EF_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX: ''
#EF_OUTPUT_ELASTICSEARCH_DROP_FIELDS: ''
#EF_OUTPUT_ELASTICSEARCH_ALLOWED_RECORD_TYPES: 'as_path_hop,flow_option,flow,telemetry'
#EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ENABLE: 'true'
#EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_OVERWRITE: 'true'
EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_SHARDS: 1
EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REPLICAS: 0
#EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL: '10s'
#EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_CODEC: 'best_compression'
#EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_LIFECYCLE: 'elastiflow'
#EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_PIPELINE_DEFAULT: '_none'
#EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_PIPELINE_FINAL: '_none'
# A comma separated list of Elasticsearch nodes to use. DO NOT include "http://" or "https://"
EF_OUTPUT_ELASTICSEARCH_ADDRESSES: '127.0.0.1:9200'
EF_OUTPUT_ELASTICSEARCH_USERNAME: 'elastic'
EF_OUTPUT_ELASTICSEARCH_PASSWORD: 'changeme'
#EF_OUTPUT_ELASTICSEARCH_CLOUD_ID: ''
#EF_OUTPUT_ELASTICSEARCH_API_KEY: ''
#EF_OUTPUT_ELASTICSEARCH_CLIENT_CA_CERT_FILEPATH: ''
#EF_OUTPUT_ELASTICSEARCH_CLIENT_CERT_FILEPATH: ''
#EF_OUTPUT_ELASTICSEARCH_CLIENT_KEY_FILEPATH: ''
EF_OUTPUT_ELASTICSEARCH_TLS_ENABLE: 'false'
EF_OUTPUT_ELASTICSEARCH_TLS_SKIP_VERIFICATION: 'false'
EF_OUTPUT_ELASTICSEARCH_TLS_CA_CERT_FILEPATH: ''
#EF_OUTPUT_ELASTICSEARCH_RETRY_ENABLE: 'true'
#EF_OUTPUT_ELASTICSEARCH_RETRY_ON_TIMEOUT_ENABLE: 'true'
#EF_OUTPUT_ELASTICSEARCH_MAX_RETRIES: 3
#EF_OUTPUT_ELASTICSEARCH_RETRY_BACKOFF: 1000
# OpenSearch
EF_OUTPUT_OPENSEARCH_ENABLE: 'false'
EF_OUTPUT_OPENSEARCH_ECS_ENABLE: 'false'
#EF_OUTPUT_OPENSEARCH_BATCH_DEADLINE: 2000
#EF_OUTPUT_OPENSEARCH_BATCH_MAX_BYTES: 8388608
#EF_OUTPUT_OPENSEARCH_TIMESTAMP_SOURCE: 'collect'
#EF_OUTPUT_OPENSEARCH_INDEX_PERIOD: 'daily'
#EF_OUTPUT_OPENSEARCH_INDEX_SUFFIX: ''
#EF_OUTPUT_OPENSEARCH_DROP_FIELDS: ''
#EF_OUTPUT_OPENSEARCH_ALLOWED_RECORD_TYPES: 'as_path_hop,flow_option,flow,telemetry'
#EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_ENABLE: 'true'
#EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_OVERWRITE: 'true'
EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_SHARDS: 1
EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_REPLICAS: 0
#EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL: '10s'
#EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_CODEC: 'best_compression'
#EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_ISM_POLICY: 'elastiflow'
#EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_PIPELINE_DEFAULT: '_none'
#EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_PIPELINE_FINAL: '_none'
# A comma separated list of OpenSearch nodes to use. DO NOT include "http://" or "https://"
EF_OUTPUT_OPENSEARCH_ADDRESSES: '127.0.0.1:9200'
EF_OUTPUT_OPENSEARCH_USERNAME: 'admin'
EF_OUTPUT_OPENSEARCH_PASSWORD: 'admin'
#EF_OUTPUT_OPENSEARCH_CLIENT_CA_CERT_FILEPATH: ''
#EF_OUTPUT_OPENSEARCH_CLIENT_CERT_FILEPATH: ''
#EF_OUTPUT_OPENSEARCH_CLIENT_KEY_FILEPATH: ''
EF_OUTPUT_OPENSEARCH_TLS_ENABLE: 'false'
EF_OUTPUT_OPENSEARCH_TLS_SKIP_VERIFICATION: 'false'
EF_OUTPUT_OPENSEARCH_TLS_CA_CERT_FILEPATH: ''
#EF_OUTPUT_OPENSEARCH_RETRY_ENABLE: 'true'
#EF_OUTPUT_OPENSEARCH_RETRY_ON_TIMEOUT_ENABLE: 'true'
#EF_OUTPUT_OPENSEARCH_MAX_RETRIES: 3
#EF_OUTPUT_OPENSEARCH_RETRY_BACKOFF: 1000
# Splunk
EF_OUTPUT_SPLUNK_HEC_ENABLE: 'false'
#EF_OUTPUT_SPLUNK_HEC_CIM_ENABLE: 'false'
EF_OUTPUT_SPLUNK_HEC_ADDRESSES: '127.0.0.1:8088'
EF_OUTPUT_SPLUNK_HEC_TOKEN: ''
#EF_OUTPUT_SPLUNK_HEC_BATCH_MAX_BYTES: 8388608
#EF_OUTPUT_SPLUNK_HEC_BATCH_DEADLINE: 2000
#EF_OUTPUT_SPLUNK_HEC_TLS_ENABLE: 'true'
#EF_OUTPUT_SPLUNK_HEC_TLS_SKIP_VERIFICATION: 'false'
#EF_OUTPUT_SPLUNK_HEC_TLS_CA_CERT_FILEPATH: ''
#EF_OUTPUT_SPLUNK_HEC_DROP_FIELDS: ''
# Kafka
EF_OUTPUT_KAFKA_ENABLE: 'false'
EF_OUTPUT_KAFKA_BROKERS: ''
#EF_OUTPUT_KAFKA_VERSION: '1.0.0'
#EF_OUTPUT_KAFKA_TOPIC: 'elastiflow-flow-codex'
#EF_OUTPUT_KAFKA_PARTITION_KEY: 'flow.export.ip.addr'
#EF_OUTPUT_KAFKA_CLIENT_ID: 'elastiflow-flowcoll'
#EF_OUTPUT_KAFKA_RACK_ID: ''
#EF_OUTPUT_KAFKA_TIMEOUT: 30
#EF_OUTPUT_KAFKA_DROP_FIELDS: ''
#EF_OUTPUT_KAFKA_ALLOWED_RECORD_TYPES: 'as_path_hop,flow_option,flow,telemetry'
#EF_OUTPUT_KAFKA_FLAT_RECORD_ENABLE: 'true'
EF_OUTPUT_KAFKA_SASL_ENABLE: 'false'
#EF_OUTPUT_KAFKA_SASL_USERNAME: ''
#EF_OUTPUT_KAFKA_SASL_PASSWORD: ''
#EF_OUTPUT_KAFKA_TLS_ENABLE: 'false'
#EF_OUTPUT_KAFKA_TLS_CA_CERT_FILEPATH: ''
#EF_OUTPUT_KAFKA_TLS_CERT_FILEPATH: ''
#EF_OUTPUT_KAFKA_TLS_KEY_FILEPATH: ''
#EF_OUTPUT_KAFKA_TLS_SKIP_VERIFICATION: 'false'
#EF_OUTPUT_KAFKA_PRODUCER_MAX_MESSAGE_BYTES: 1000000
#EF_OUTPUT_KAFKA_PRODUCER_REQUIRED_ACKS: 1
#EF_OUTPUT_KAFKA_PRODUCER_TIMEOUT: 10
#EF_OUTPUT_KAFKA_PRODUCER_COMPRESSION: 3
#EF_OUTPUT_KAFKA_PRODUCER_COMPRESSION_LEVEL: -1000
#EF_OUTPUT_KAFKA_PRODUCER_FLUSH_BYTES: 1000000
#EF_OUTPUT_KAFKA_PRODUCER_FLUSH_MESSAGES: 1024
#EF_OUTPUT_KAFKA_PRODUCER_FLUSH_FREQUENCY: 1000
#EF_OUTPUT_KAFKA_PRODUCER_FLUSH_MAX_MESSAGES: 0
#EF_OUTPUT_KAFKA_PRODUCER_RETRY_MAX: 3
#EF_OUTPUT_KAFKA_PRODUCER_RETRY_BACKOFF: 100
# Cribl
EF_OUTPUT_CRIBL_ENABLE: 'false'
EF_OUTPUT_CRIBL_ADDRESSES: '127.0.0.1:10080'
EF_OUTPUT_CRIBL_TOKEN: ''
#EF_OUTPUT_CRIBL_BATCH_DEADLINE: 2000
#EF_OUTPUT_CRIBL_BATCH_MAX_BYTES: 8388608
#EF_OUTPUT_CRIBL_TLS_ENABLE: 'false'
#EF_OUTPUT_CRIBL_TLS_SKIP_VERIFICATION: 'false'
#EF_OUTPUT_CRIBL_TLS_CA_CERT_FILEPATH: ''
#EF_OUTPUT_CRIBL_DROP_FIELDS: ''
# Generic HTTP
EF_OUTPUT_GENERIC_HTTP_ENABLE: 'false'
EF_OUTPUT_GENERIC_HTTP_ECS_ENABLE: 'false'
#EF_OUTPUT_GENERIC_HTTP_BATCH_DEADLINE: 2000
#EF_OUTPUT_GENERIC_HTTP_BATCH_MAX_BYTES: 8388608
EF_OUTPUT_GENERIC_HTTP_ADDRESSES: ''
#EF_OUTPUT_GENERIC_HTTP_USERNAME: ''
#EF_OUTPUT_GENERIC_HTTP_PASSWORD: ''
#EF_OUTPUT_GENERIC_HTTP_TLS_ENABLE: 'false'
#EF_OUTPUT_GENERIC_HTTP_TLS_SKIP_VERIFICATION: 'false'
#EF_OUTPUT_GENERIC_HTTP_TLS_CA_CERT_FILEPATH: ''
#EF_OUTPUT_GENERIC_HTTP_DROP_FIELDS: ''
#EF_OUTPUT_GENERIC_HTTP_TIMESTAMP_SOURCE: 'collect'
# RiskIQ
EF_OUTPUT_RISKIQ_ENABLE: 'false'
#EF_OUTPUT_RISKIQ_HOST: ''
#EF_OUTPUT_RISKIQ_PORT:
#EF_OUTPUT_RISKIQ_CUSTOMER_UUID: ''
#EF_OUTPUT_RISKIQ_CUSTOMER_ENCRYPTION_KEY: ''
image
The name of the current released image is elastiflow/flow-collector:6.3.7
.
restart
restart
is set to unless-stopped
so that the collector will restart automatically if it fails for some reason.
network_mode
There is a old issue with Docker that persists still, where an inbound packet's source IP address is not persisted across the Docker bridge interface. This is not an issue for sFlow as the exporter's IP is extracted from the agent_address
in the sFlow header. However for Netflow and IPFIX the source IP from the IP header is all that is available to determine which device sent the records. The Docker bridge messes this up.
To work around this issue network_mode
must be set to host
.
On macOS Docker containers do not run natively on the operating system. They actually run in a behind the scenes linux VM. In the case host
networking would be the network stack of the VM and not of macOS itself. This means the bridged
mode networking must be used and the necessary port mapping defined. Because of the source IP issues mentioned above, you will not be able to do much on macOS other than basic testing.
volumes
There are a few scenarios where it is necessary to make files on the host file system available to the collector.
In the example above, /etc/elastiflow
on the host's filesystem is mapped into the same path within the container. After downloading the GeoLite2-City
and GeoLite2-ASN
maxmind databases from the Maxmind website, they can be placed at /etc/elastiflow/maxmind
on the host's filesystem and will be able to be accessed by the collector within the container.
It is also possible to build a new container, adding additional files as needed. This may the best choice if running the container in a dynamically orchestrated environment (e.g. running in Kubernetes). However for an instance dedicated to a specific host, using bind mounted volumes can be very convenient.
environment variables
The Unified Flow Collector is configured using environment variables. The settings above provide an example configuration that represents the most likely settings to consider and modify when deploying the collector.
For a complete reference of all configuration options please refer to the Configuration Environment Variable Reference.
Running the Container
After completing configuration of the collector in the docker-compose.yml
file, you can start the container using one of the following commands...
From within the same path as the docker-compose.yml
file:
docker-compose up -d
From a path different from the location of the docker-compose.yml
file:
docker-compose -f /PATH/TO/docker-compose.yml up -d
To view the logs written by the container run:
docker logs -f NAME_OF_CONTAINER
To stop the container run:
docker-compose down
or:
docker-compose -f /PATH/TO/docker-compose.yml down