Skip to main content
Version: 7.2

Upgrading to 7.0

Upgrading to 7.0

Upgrading to 7.0 should be straightforward for most users as the breaking changes are limited to a few specific features.

Here's a high level overview of when you need to make any changes:

  • If you are using AWS VPC Flogs logs, you will need to rename some config options (see below).
  • If you are using RiskIQ for threat enrichment, we will automatically move you over to NetIntel threat enrichment (see below for steps and requirements).
  • If you are using our community version, you might want to consider switching over to a free basic license to continue to collect up to 4000 flow records per organization.
  • If you are upgrading from 5.x, please make sure to follow the 6.x upgrade steps first.

Naming Changes

In order to align our new product offerings, we have established new product names with the release of 7.0:

Previous nameNew name
Unified Flow CollectorNetObserv Flow
Unified SNMP CollectorNetObserv SNMP

We will refer to NetObserv when talking about both Flow & SNMP.

Licensing Options

LicenseField6.xNotes for 7.0
BasicSupported flow fields1020All (7400+)
CommunitySupported flow records per second4000500

RiskIQ is reaching end of life on June 30th 2024

In NetObserv 7.0 RiskIQ is no longer supported for threat enrichment. Instead, ElastiFlow NetIntel is enabled by default in 7.0 to provide threat enrichment for the Threats dashboards. No configuration changes are required when upgrading to 7.0. Click here for more information on how to set up NetIntel enrichment. The following table shows all configuration options added/removed as part of this change. The RiskIQ related options can be safely removed from your flowcoll.yml config file. They are ignored in 7.0.

6.x OptionStatusNotes for 7.0
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLERemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENDPOINTRemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_REFRESH_INTERVALRemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATHRemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_REFRESH_RATERemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_USERRemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_KEYRemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUTRemoved---
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUTRemoved---
---AddedEF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE

AWS VPC Flow log configuration

In order to support more options to retrieve AWS VPC Flow logs and Transit Gateway logs, we made the following naming changes to the configuration options related to VPC Flow logs:

6.x OptionStatusNotes for 7.0
EF_AWS_VPC_FLOW_LOG_ENABLERenamedEF_AWS_VPC_FLOW_LOG_S3_ENABLE
EF_AWS_VPC_FLOW_LOG_PREFIXRenamedEF_AWS_VPC_FLOW_LOG_S3_PREFIX
EF_AWS_VPC_FLOW_LOG_POOL_SIZERenamedEF_AWS_VPC_FLOW_LOG_S3_POOL_SIZE
EF_AWS_VPC_FLOW_LOG_TLS_ENABLERenamedEF_AWS_VPC_FLOW_LOG_S3_TLS_ENABLE
EF_AWS_VPC_FLOW_LOG_TLS_SKIP_VERIFICATIONRenamedEF_AWS_VPC_FLOW_LOG_S3_TLS_SKIP_VERIFICATION
EF_AWS_VPC_FLOW_LOG_TLS_CA_CERT_FILEPATHRenamedEF_AWS_VPC_FLOW_LOG_S3_TLS_CA_CERT_FILEPATH
EF_AWS_VPC_FLOW_LOG_TLS_MIN_VERSIONRenamedEF_AWS_VPC_FLOW_LOG_S3_TLS_MIN_VERSION
---AddedEF_AWS_VPC_FLOW_LOG_FIREHOSE_S3_ENABLE
---AddedEF_AWS_VPC_FLOW_LOG_FIREHOSE_S3_LOG_FORMAT

Configuration Changes

To keep our configuration options uniform and organized, we changed one config option that was not following our naming schema:

6.x OptionStatusNotes for 7.0
EF_INPUT_FLOW_BENCHMARK_PACKET_FILE_PATHRENAMEDEF_INPUT_FLOW_BENCHMARK_PACKET_FILEPATH