Network Interfaces
Flow records generally include the index of ingress and egress interfaces by which the network traffic traversed the exporting device. NetObserv Flow will attempt to determine the names, and additional attributes, of these interfaces as learned from Netflow v9 or IPFIX option records, determined by polling the exporting device using SNMP or specified in user-defined metadata.
The network interface enrichment module provides supplemental information for network interface, such as name (ifName), description (ifDescr), alias (ifAlias), type (ifType), bandwidth (ifSpeed/ifHighSpeed), committed information rate (CIR), user-defined tags, and additional user-defined metadata. Values are cached for improved performance and flow record throughput.
This page provide detailed information about User-Defined Metadata Enrichment.
User-Defined Metadata Enrichment
An example of the format of this file is:
10.0.0.1:
1:
ifName: lo
ifDescr: lo
ifAlias: lo
ifType: 24
ifSpeed: 10000000
tags:
- router_mgmt
metadata:
sec.zone.name: network
3:
internal: false
ifName: eth0
ifDescr: eth0
ifAlias: internet
ifType: 6
ifSpeed: 1000000000
cirIn: 200000000
cirOut: 12000000
tags:
- verizon
metadata:
sec.zone.name: internet
10.0.0.2:
501:
ifName: vlan
ifDescr: vlan
ifSpeed: 1000000000
502:
ifName: ge-0/0/0
ifDescr: ge-0/0/0
ifSpeed: 1000000000
Metadata Types
The User-Defined Metadata enricher supports a combination of pre-defined metadata types as well as the ability to provide custom data as key-value pairs. This section describes the various metadata types. The following table provides a summary of these types.
| Attribute | Data Type | Field Populated | Description |
|---|---|---|---|
ifName | string | <object>.netif.name | The textual name of the interface. The value of this object should be the name of the network interface as assigned by the device. |
ifDescr | string | <object>.netif.descr | A textual string containing information about the network interface. |
ifAlias | string | <object>.netif.alias | An administratively defined "alias" name for the interface. |
ifType | unsigned | <object>.netif.type.id, <object>.netif.type.name | The type of interface as specified in IF-MIB (RFC 2233). Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA) via updates to the syntax of the IANAifType textual convention. |
ifSpeed | unsigned | <object>.netif.bandwidth.bw | The interface's bandwidth in bits per second. |
cirIn | unsigned | <object>.netif.bandwidth.prov.in | The interface's ingress provisioned maximum bandwidth in bits per second. |
cirOut | unsigned | <object>.netif.bandwidth.prov.out | The interface's egress provisioned maximum bandwidth in bits per second. |
internal | bool | <object>.isInternal | Specifies whether or not the network interface is connected to a network considered to be "internal". |
tags | array of strings | <object>.netif.tags | Tags that describe attributes of the network interface. |
metadata | sequence of attributes | <object><attribute> or <attribute> | Key-value pairs which will be added at the network interface object or record levels. |
metadata
metadata is a list of key-value pairs which will be added as fields to the record. These can either be custom fields specific to the needs of the user, or existing fields from the ElastiFlow CODEX schema. When CODEX fields are specified, the configured metadata value will override any values that already exist in the record.
If you have enabled ECS (Elasticsearch/OpenSearch) or CIM (Splunk) support and want to override values from these schemas, you must specify the CODEX equivalent fields in the metadata attribute. Metadata is applied in the decoder portion of the collector, where all data is still in the CODEX schema. Conversion to other schemas is output-specific and thus occurs at a later phase of processing.
Key names can be specified with or without a leading ..
- If specified with a leading
., the field will be placed within the parent object containing the network interface. - If specified without a leading
., the field will be placed at the root of the record.
Consider a network interface from flow.in.netif.index:
- If the metadata key is defined as
.circuit.name, the value would be assigned toflow.in.netif.circuit.name. - If the metadata key is defined as
circuit.name, the value would be assigned directly tocircuit.name.