search
Ctrlk

Changelog

hashtag
7.25.0 - May 7, 2026

hashtag
Features

  • Elasticsearch Output - Added ignore_malformed to index templates for TSDS output.

hashtag
Fixes

  • NetObserv Flow - fix sample rate determination for all scenarios.

  • Elasticsearch Output - log an additional error when the bulk api returns 200 but has error in response payload.

hashtag
7.24.0 - Apr 28, 2026

hashtag
Features

  • NetObserv Flow - For userdefined metadata feature (User-Defined Metadata (UDM) for Addresses), added 'contexts' support. Now you can configure NetObserv Flow, for example, to only add some enrichment to the 'exporter' fields.

hashtag
Fixes

  • NetObserv Flow - improved error logging for Azure VNET input.

hashtag
7.23.0 - Apr 17, 2026

hashtag
Features

  • NetObserv Flow - packet parser supports ERSPAN headers.

  • NetObserv Flow - supports latest Calix information elements.

hashtag
Fixes

  • NetObserv SNMP - fixed IP metadata enrichment.

hashtag
7.22.0 - Mar 20, 2026

circle-info

NetObserv SNMP changed and improved how polling intervals work. The new poll_intervals configuration option will override poll_interval .

If you have customized any snmp definition files, you should consider updating them to include the new type object attribute.

hashtag
Features

  • NetObserv SNMP: Smart Object Polling - NetObserv SNMP allows collection to be fine-tuned by setting polling intervals for different types of SNMP objects. Instead of using the same polling interval for all SNMP objects, NetObserv can poll less frequently for object types that do not change as frequently.

  • NetObserv (All) - New fields added: collector.host.name and collector.ip.addr .

    • collector.host.name is the hostname of the system running the NetObserv collector.

    • collector.ip.addr is the IP address of the system running the NetObserv collector. For systems with multiple IP addresses, it will be the IP of the interface through which the system reaches its default gateway.

  • NetObserv SNMP - Added additional SNMP MIB support: https://github.com/elastiflow/snmp/releases/tag/v1.23.0arrow-up-right

hashtag
Fixes

  • NetObserv Flow - NetIntel enrichment no longer overrides app.name, app.category.name, and app.subcategory.name when those fields are already set from the received flow records.

  • NetObserv SNMP - Fixed an issue where "degraded" device status checks did not always work. Also added error and warning logs so that any underlying errors (such as socket permission errors) are displayed in logs for troubleshooting.

    • This issue was resolved by adding the CAP_NET_RAW permission to the service file. NetObserv SNMP must have permission to create/send ping requests to detect 'degraded' status. In some Linux distributions, that permission is not automatic. CAP_NET_RAW grants the process the capability to use RAW and PACKET sockets and to bind to any address for transparent proxying.

hashtag
7.21.4 - Mar 13, 2026

hashtag
Features

  • NetObserv Flow - Added support for additional IPFIX information elements.

hashtag
7.21.3 - Mar 13, 2026

hashtag
Fixes

  • OTel Trace Input - Fixed flow.direction.id and flow.direction.name fields to be correct.

hashtag
7.21.2 - Mar 12, 2026

hashtag
Fixes

  • Azure VNet Input - Export type labels for Azure VNet Logs are now correctly set, resolving an issue where the "Flow Records" dashboard failed to render the flow record source for this input.

  • OTel Trace Input - Spans received by the OTel Trace Input are now attributed with an export type of "OTel Flow Span", resolving an issue where the "Flow Records" dashboard failed to render the flow record source for this input.

  • OTel Trace Input - Host metadata is now resolved from OTLP resource attributes for records sourced by the OTel Trace Input, fixing a number of display issues across several dashboards when viewing these records.

hashtag
7.21.1 - Feb 9, 2026

hashtag
Fixes

  • OTLP Input - Resolved an issue where the readiness endpoint would incorrectly report a failure when the OTLP input was enabled.

hashtag
7.21.0 - Feb 3, 2026

circle-exclamation

hashtag
Warning

If you use the namespace ability in your configurationarrow-up-right, you can no longer use namespaced output instances and non-namespaced output instances at the same time. For example, if you are using Elasticsearch output, and you have configuration that looks like this:

NetObserv will throw an error now. Previously there was a bug that allowed this invalid configuration.

hashtag
Features

  • NetObserv Configuration - You can now encrypt some NetObserv configuration files on disk; for full details see Encrypting Configuration Files.

  • OTel Trace Input - Added support for OpenTelemetry Protocol (OTLP) trace ingestion with namespace-based configuration. Supports both gRPC and HTTP ingestion; for full details on configuration see Trace.

  • OTel Trace Output - Added support for OpenTelemetry Protocol (OTLP) trace exporting with namespace-based configuration. Supports exporting in both gRPC and HTTP formats; for full details on configuration see Trace.

  • NetObserv Flow - added support for deriving flow records from dataLinkFrameSection (IANA IE 315)

  • NetObserv Flow - added support for GENEVE tunnels when parsing sFlow, IFA and dataLinkFrameSection sampled headers.

hashtag
Updates

  • Kafka Output - corrected a possible deadlock condition when using a TLS connection to brokers.

  • OTLP Output - some fields (like 'container.name') are replaced with source/destination fields (like 'source.container.name' and 'destination.container.name').

hashtag
Fixes

  • Outputs - NetObserv will correctly throw an error if you misconfigure namespaces in configuration.

  • NetObserv Flow - Fixed an issue with the caching of some option data templates which could cause a panic in some scenarios.

  • NetObserv Flow - NetObserv will now ignore, within flow records, extra fields where ip address is set to "zero value" (0.0.0.0 or ::0). Previously it would set an ip address field to the zero address and ignore real values.

hashtag
7.20.0 - December 11, 2025

hashtag
Updates

  • Kafka Output - Added support for encrypted private keys when using mTLS. See EF_OUTPUT_KAFKA_TLS_KEY_PASSPHRASE for usage.

  • SNMP Definitions - Released snmp v1.21.0arrow-up-right for additional MIB support (PowerNet-MIB::upsAdvTest).

hashtag
Fixes

  • NetObserv Flow - Fixed a bug where ports 9411 and 9412 were claimed by NetObserv process when they should not have been.

hashtag
Notes

If you are upgrading NetObserv SNMP, you will need to follow the Manual Upgrade Steps for SNMP definition files.

hashtag
7.19.3 - November 21, 2025

hashtag
Updates

hashtag
Fixes

  • SNMP Poll Schedule Persistence - Fixed an issue where poll schedules were not correctly persisted across collector restarts when persistence was enabled (EF_INPUT_SNMP_PERSIST_ENABLE=true).

  • Collector Process Exit - Fixed an issue where pressing Ctrl+C did not properly exit the NetObserv collector process.

hashtag
7.19.2 - November 6, 2025

hashtag
Fixes

  • OpenSearch Output - Fixed an issue where unused and unnecessary indices were being created on startup.

hashtag
7.19.1 - November 4, 2025

hashtag
Fixes

  • NetObserv - Fixed an issue which could prevent NetObserv from booting correctly.

  • OpenSearch Output - Fixed an issue where retry configuration was not respected.

hashtag
7.19.0 - October 31, 2025

hashtag
Updates

hashtag
Fixes

  • Metadata Enrichment - Fixed an issue where the API to manage user-defined metadata would panic.

hashtag
Notes

If you are upgrading NetObserv SNMP Trap, you will need to follow the Manual Upgrade Steps for SNMP definition files.

hashtag
7.18.1 - October 17, 2025

hashtag
Fixes

  • OpenSearch Output - Improved logging. Whenever username/password is incorrect, you will now see a more full message saying 'Unauthorized'.

hashtag
7.18.0 - October 15, 2025

hashtag
New Features

  • NetObserv SNMP Trap - Added support for rules that handle traps where the enterprise of the trap is unsupported by any other rules.

  • NetObserv SNMP Trap - Added bloblang functions snmp_int_display_hint() and snmp_octet_display_hint() for transforming raw integer-based and OCTET STRING-based varbind values, respectively.

hashtag
Updates

  • SNMP Trap Rules - Released snmp v1.18.0arrow-up-right for additional SNMP Trap support. Includes the following:

    • FORTINET-CORE-MIB

    • FORTINET-FORTIANALYZER-MIB

    • FORTINET-FORTIGATE-MIB

    • FORTINET-FORTIMAIL-MIB

    • FORTINET-TRAP-MIB (incl. FORTIOS-300-MIB as both send same enterprise)

    • JUNIPER-DOM-MIB

    • JUNIER-LDP-MIB

    • STORMSHIELD-ALARM-MIB

    • UCD-SNMP-MIB

hashtag
Fixes

  • Elasticsearch Output - Fixed issue where the configuration options for max retries and retry backoff were swapped.

hashtag
Notes

If you are upgrading NetObserv SNMP Trap, you will need to follow the Manual Upgrade Steps for SNMP definition filesarrow-up-right.

hashtag
7.17.0 - October 2, 2025

hashtag
New Features

  • NetObserv SNMP - Availability checks have been updated to include the round-trip latency between the collector and the device. Additionally availability testing is now based on the devices defined in the SNMP configuration definitions, instead of the devices which have been successfuly polled during object discovery. This ensures that devices that are down during object discovery will still be polled with availability checks.

  • NetObserv SNMP - When polling the IF-MIB:ifEntry SNMP definition, the collector will now calculate the bandwidth utilization of the network interface and add this to the records. These fields are netif.bandwidth.util.in, netif.bandwidth.util.out and netif.bandwidth.util.total and contain a 0-100 percentage value as a 64-bit floating point number.

hashtag
Updates

  • Kafka Output - Flush-related configuration options have been adjusted for better throughput. The minimum allowed value of these options has been decreased to 0 (unlimited) for improved configuration flexibility.

  • SNMP Trap Rules - Released snmp v1.16.0arrow-up-right for additional SNMP Trap support.

hashtag
Notes

If you are upgrading NetObserv SNMP Trap, you will need to follow the manual upgrade steps to ensure that the additional SNMP Trap support is included.

hashtag
7.16.0 - September 25, 2025

hashtag
New Features

  • Metadata Enrichment - Added a REST/gRPC/connectrpc API for managing user-defined metadataarrow-up-right. See the API specarrow-up-right for more details. This feature is disabled by default and can be enabled by setting the following configuration: EF_PROCESSOR_ENRICH_IPADDR_METADATA_ENABLE.

hashtag
Updates

hashtag
Fixes

  • SNMP Device Autodiscovery - Fixed a data race condition.

hashtag
Notes

If you are upgrading NetObserv SNMP, you will need to follow the Manual Upgrade Steps for SNMP definition files.

hashtag
7.15.0 - September 18, 2025

hashtag
Updates

  • SNMP Trap Collector - Added custom Bloblang functions for extracting SNMP fields from traps (see all custom functions here).

hashtag
Fixes

  • SNMP Trap Collector - Fixed an issue where non-YAML files were being processed during definition validation.

hashtag
7.14.1 - September 11, 2025

hashtag
Fixes

  • SNMP Device Autodiscovery - Fixed an issue where the discovery process panics when a device is missing the sysObjectID.

hashtag
7.14.0 - September 4, 2025

hashtag
New Features

  • NetObserv Flow - Some flow sources will use the source or destination layer-4 port IEs to carry the combined ICMP Type/Code value when the layer-4 protocol is ICMP or IPv6-ICMP. If the flow records for ICMP traffic do not otherwise contain the ICMP Type and Code directly, the layer-4 source and destination ports will be checked to see if they contain these values.

  • SNMP Definitions - Released snmp v1.14.0arrow-up-right to add additional MIB support: Bluecat, Digi, and Ubiquiti.

hashtag
Fixes

  • SNMP Device Autodiscovery - Fixed an issue where devices with more than one IP address associated with it were discovered multiple times.

  • /livez - Fixed /livez status API for all NetObserv products. It will correctly return 200 when the process starts

  • /readyz - Fixed /readyz status API for all NetObserv products. It will correctly return 200 when the process is ready to receive input, and it will remain 200 thereafter.

hashtag
Notes

If you are upgrading NetObserv SNMP, you will need to follow the Manual Upgrade Steps for SNMP definition files.

hashtag
7.13.1 - August 13, 2025

hashtag
Fixes

  • NetObserv SNMP - Improved handling of scenarios where the configured syntax of an object attribute doesn't match the data type of values returned by the device. This avoids possible panic conditions.

hashtag
Security

  • CVE-2025-54801 - Updated github.com/gofiber/fiber/v2 from 2.52.6 to 2.52.9.

  • CVE-2025-22868 - Updated golang.org/x/oauth2 from 0.25.0 to 0.27.0.

  • CVE-2025-8556 - Updated github.com/cloudflare/circl from 1.3.9 to 1.6.1.

hashtag
7.13.0 - August 6, 2025

hashtag
New Features

  • NetObserv SNMP TSDS Support - NetObserv SNMP's Elasticsearch output now supports TSDS. See TSDS configuration docs for more details.

hashtag
Fixes

  • NetObserv Flow - IP enrichment will now ignore empty IP addresses (0.0.0.0 and ::) instead of outputting incorrect values.

hashtag
7.12.0 - July 25, 2025

hashtag
New Features

  • SNMP Device Autodiscovery (TECHNOLOGY PREVIEW) - Added device autodiscovery feature. You can view more info in our Autodiscovery for Devices guide

  • Storage Optimization - Added storage optimization support for NetObserv SNMP when using Elasticsearch or OpenSearch outputs. This feature is enabled by default and can be toggled using the following configurations: EF_OUTPUT_ELASTICSEARCH_STORAGE_OPTIMIZATION_ENABLE and EF_OUTPUT_OPENSEARCH_STORAGE_OPTIMIZATION_ENABLE. See this guide for more information on how to set up storage optimization.

hashtag
Updates

  • AWS VPC Flow Logs - Added AWS VPC Flow Log support to include all flow records through v8.

hashtag
Fixes

  • SNMP Definitions - Released snmp v1.12.0arrow-up-right to add definition validation via the make validate command.

  • NetObserv Flow - Updated the default value for EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_AS_PREFIX_PRECISION previously this was set to all, which allowed for all AS summary routes to be added during enrichment. The new default value is exact, which only adds the most specific AS summary route for each IP address. This change improves performance and reduces the size of the enriched data. If you want to revert to the previous behavior, you can set EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_AS_PREFIX_PRECISION to all.

hashtag
Notes

If you are upgrading NetObserv SNMP, you will need to follow the Manual Upgrade Steps for SNMP definition files.

hashtag
7.11.1 - June 12, 2025

hashtag
Fixes

  • Kafka Output - Fixed an issue where the collector would fail to send records to a Kafka output that has mTLS authentication enabled.

hashtag
7.11.0 - June 10, 2025

hashtag
New Features

  • Storage Optimization - Added support for a new storage optimization and query performance improvement feature for Elasticsearch and OpenSearch outputs when running the NetObserv Flow. This feature is enabled by default and can be toggled using the following configurations: EF_OUTPUT_ELASTICSEARCH_STORAGE_OPTIMIZATION_ENABLE and EF_OUTPUT_OPENSEARCH_STORAGE_OPTIMIZATION_ENABLE. See this guide for more information on how to set up storage optimization.

hashtag
Updates

  • NetObserv SNMP - Added support for processing object indexes that may have Route Distinguisher (RD) information prefixed to an IPv4 or IPv6 address. This update adds IpAddressRoutePrefix as a supported syntax in the SNMP object definition.

  • NetObserv Flow - Updated support for the Pensando DPU to include the latest IEs.

  • NetObserv Flow - Enhanced the tcpOptions (IE 209) translator to handle encoding for both RFC 1502 and RFC Errata 2946.

  • Elasticsearch/OpenSearch Output - Updated the default value for index refresh interval to 20s (see the EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL and EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL configurations). This update improves the efficiency of the index refresh process with the new storage optimization feature.

  • OpenSearch Output - Updated the default value for index period to rollover (see the EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_PERIOD configuration). This update aligns the index period with the default value for Elasticsearch.

  • SNMP Definitions - Released version 1.9 of snmparrow-up-right to support the following object definitions:

    • Cisco UCS

    • Riverbed

    • PowerNet-MIB

    • NETAPP-MIB

    • CISCO-VTP-MIB

    • CloudGenix

    • Isilon

    • Rubrik

    • Pure Storage

    • IETF and Cisco dial control

If you are upgrading NetObserv SNMP, you will need to follow the Manual Upgrade Steps for SNMP definition files.

If you are upgrading NetObserv SNMP Trap, and you also use our Kibana SNMP Trap dashboardarrow-up-right, you will need to reimport the dashboard. You can follow our instructions for dashboard import.

hashtag
Fixes

  • OpenSearch Output - Fixed an issue where the OpenSearch output was not correctly handling the EF_OUTPUT_OPENSEARCH_INDEX_SUFFIX configuration, which would lead to incorrect index template naming.

  • NetObserv Flow - Fixed an issue with the flow throttler (that limits flows per second to the licensed maximum) using too much CPU when you exceed your licensed maximum while in recovery mode after a burst.

hashtag
7.10.3 - May 16, 2025

hashtag
Fixes

  • TSDS - Fixed an issue where non TSDS indexes were being created when TSDS was enabled for Elasticsearch.

  • Elasticsearch Output - The configuration EF_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX no longer breaks rollovers in Elasticsearch.

    • NOTICE: if you have some NetObserv instances that use a suffix and some that do not, you might have to set EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_OVERWRITE to 'true' when upgrading NetObserv to guarantee that the bugfix takes effect.

    • If you use EF_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX, any index templates NetObserv creates now will now have a priority of 101.

  • SNMP Definitions - Released version 1.8 of snmp definition filesarrow-up-right.

    • Added support for Cisco SIP MIBs.

    • Added support for Netscaler MIBs.

If you are upgrading NetObserv SNMP or NetObserv SNMP Trap, you will need to follow the Manual Upgrade Steps for SNMP definition files.

hashtag
Security

  • CVE-2024-40635 - Updated github.com/containerd/containerd from 1.7.18 to 1.7.27.

  • CVE-2025-22869 - Updated golang.org/x/crypto from 0.31.0 to 0.36.0.

  • CVE-2025-22870 - Updated golang.org/x/net from 0.33.0 to 0.38.0.

  • CVE-2025-22872 - Updated golang.org/x/net from 0.33.0 to 0.38.0.

  • CVE-2025-27144 - Updated github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4.

  • CVE-2025-30204 - Updated github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2.

  • CVE-2025-30204 - Updated github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2.

hashtag
7.10.2 - May 2, 2025

hashtag
Fixes

  • SNMP Collector - Fixed an issue where the SNMP Collector used a significant amount of memory when polling a large number of devices.

hashtag
7.10.1 - April 25, 2025

hashtag
Fixes

  • SNMP Trap Device Licensing - Fixed an issue where the SNMP Trap Collector was counting devices by IP and port instead of by IP only. This caused the device count to be higher than expected, potentially leading to licensing issues.

  • SNMP Trap Listener - Fixed an issue where the SNMP Trap Collector was not correctly handling the Agent Address field in the SNMPv1 trap header. This led to incorrect IP addresses being recorded in the trap records.

  • SNMP Definitions - Released version 1.7 of snmparrow-up-right to address the following fixes

    • SNMP - Fixed various dot3Stats OIDs.

    • SNMP Trap - Updated a parsing rule in ciscoConfigManMIBNotifications. A variable binding is optional, but was treated as mandatory.

If you are upgrading NetObserv SNMP or NetObserv SNMP Trap, you will need to follow the Manual Upgrade Steps for SNMP definition files.

hashtag
7.10.0 - April 17, 2025

hashtag
Updates

  • SNMP Polling - Added support for limiting the number of concurrent polls to a device. This can be configured for each device by setting the max_concurrent_polls field in the device definition file to the desired value.

hashtag
Security

  • CWE-25 - Updated filippo.io/age from 1.2.0 to 1.2.1.

hashtag
7.9.0 - March 27, 2025

hashtag
Updates

  • SNMP Polling - Added support for enriching Cisco QoS policy objects with the following fields: ifName, cbQosPolicyMapName, cbQosCMName, and cbQosMatchStmtName. Enable this enrichment by setting the cisco_qos_enabled field to true in the device's definition.

hashtag
Fixes

  • Azure VNet Flow Logs - Fixed an issue where the flow collector would not process Azure flow logs if the user had configured a different Resource Group than the default.

  • Azure VNet Flow Logs - Fixed an issue where Blob events were not being able to be processed by ignoring all events that are not Microsoft.Storage.BlobCreated.

  • SNMP Polling - Fixed an issue where Error Index was not being interpreted correctly as a 1-based index.

hashtag
7.8.0 - March 12, 2025

hashtag
New Features

  • Azure VNet Flow Logs - Added support for collecting VNet flow logs from Azure. See configuration guide for more details.

hashtag
Updates

  • Autonomous System Enrichment - Added further Autonomous system (AS) field indexing and the EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_AS_PREFIX_PRECISION configuration to allow greater enrichment controls.

  • NetIntel Enrichment - Updated NetObserv flow to download a compressed version of the NetIntel database for greater efficiency.

  • Public GPG Key Update - ElastiFlow's public GPG key has been replaced, using SHA‑256 instead of SHA‑1. Existing installations remain compatible, but users in environments that disable SHA‑1 (e.g., FIPS environments or Rocky 9 installations) should reimport the new key to enable support for the updated algorithm. To reimport the new key, follow the same steps as before provided in the installation documentation.

hashtag
7.7.2 - February 18, 2025

hashtag
Fixes

  • SNMP Collector - Fixed an issue where the SNMP collector would panic when polling objects with ObjectIdentifier syntaxes.

hashtag
7.7.1 - February 14, 2025

hashtag
Updates

  • AWS VPC Flow Logs via AWS Firehose - Added a new configuration, EF_AWS_VPC_FLOW_LOG_FIREHOSE_HTTP_PORT, to customize the HTTP port that the flow collector listens on for incoming flow logs from Amazon Firehose.

hashtag
Fixes

  • Flow Collector - Fixed an issue where path and telemetry indices were not being created correctly when TSDS was enabled for Elasticsearch.

  • Splunk Output - Fixed an issue where the EF_OUTPUT_SPLUNK_HEC_CIM_ENABLE configuration was not being respected and Splunk CIM fields were not used.

  • Flow Collector - Fixed an issue where flows were not being enriched correctly with AS fields.

hashtag
Security

  • CVE-2022-28948 - Updated gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0.

  • CVE-2023-48795 - Updated golang.org/x/crypto from 0.11.0 to 0.31.0.

  • CVE-2024-45337 - Updated golang.org/x/crypto from 0.11.0 to 0.31.0.

  • CVE-2023-3978 - Updated golang.org/x/net from 0.12.0 to 0.33.0.

  • CVE-2023-39325 - Updated golang.org/x/net from 0.12.0 to 0.33.0.

  • CVE-2023-44487 - Updated golang.org/x/net from 0.12.0 to 0.33.0.

  • CVE-2023-45288 - Updated golang.org/x/net from 0.12.0 to 0.33.0.

  • CVE-2024-45338 - Updated golang.org/x/net from 0.12.0 to 0.33.0.

hashtag
7.7.0 - February 3, 2025

hashtag
New Features

  • NetObserv SNMP Trap Collector - Added a new SNMP Trap Collector to the NetObserv suite. The SNMP Trap Collector is a turnkey solution for collecting, processing, and enriching SNMP traps from network devices. For more information, see the SNMP Trap Collector Introduction.

hashtag
Updates

  • Maxmind Enrichment - Improved the performance of Maxmind GeoIP and ASN enrichment.

  • TSDS - Added metric support for TSDS data streams in Elasticsearch outputs. To enable sending metrics to TSDS data streams ensure EF_OUTPUT_ELASTICSEARCH_TSDS_ENABLE is set to true and EF_OUTPUT_ELASTICSEARCH_ALLOWED_RECORD_TYPES includes metric.

hashtag
7.6.0 - January 21, 2025

hashtag
Updates

  • License - Added the following license related configurations:

    • EF_LICENSE_KEY (replaces EF_FLOW_LICENSE_KEY and EF_SNMP_LICENSE_KEY, marked for deprecation).

    • EF_LICENSE_FLOW_RECORDS_PER_SECOND (replaces EF_FLOW_LICENSED_UNITS, marked for deprecation).

    • EF_LICENSE_TELEMETRY_HOSTS.

  • Flow Collector Metrics - Added a new informational metric to the flow collector to provide clarity on the maximum flow records per second that the collector is provisioned for according to the license: license_flow_records_per_second.

  • SNMP Collector Metrics - Added two new informational metrics to the SNMP collector to provide clarity on the maximum number of SNMP devices and objects that can be polled according to the license: license_telemetry_hosts and license_telemetry_objects.

  • Metrics - Renamed the license_units metric to license_info to better reflect the information it provides: license_info.

  • Outputs - Introduced the following configurations for Splunk, Cribl, and generic http outputs to control which record types are sent to stdout. Supported values include: as_path_hop, flow_option, flow, ifa_hop, telemetry, metric, and log. If left empty, all record types will be sent to the output.

hashtag
Fixes

  • RPM and FIPs - RPM package for NetObserv will now work correctly on FIPs compliant RHEL machines.

  • sFlow - Fixed an issue that could cause fields to not be successfully parsed from an sFlow sampled_header depending on where the packet sample was truncated.

  • SNMP Poller - Fixed an issue where collectors would start without users accepting our license agreement. When you upgrade and have not accepted the license agreement, you may encounter the following error:

    To resolve this, ensure EF_LICENSE_ACCEPTED is set to true in your configuration.

hashtag
7.5.3 - December 4, 2024

hashtag
Fixes

  • Metrics collection - Reduced log level from error to debug if NetObserv can't access system metrics like CPU or available hard drive space.

  • SNMP poller panic - Fixed a bug that had SNMP poller stop working when some SNMPv2 devices sent their DisplayString in an unexpected format.

  • API_IP configuration - Fixed a bug where NetObserv was still listening on all interfaces even though a specific IP address is set in the EF_API_IP configuration.

  • Container - Flow Collector container no longer requires mounting /var/lib/elastiflow/flowcoll just to run.

hashtag
7.5.2 - November 22, 2024

hashtag
Updates

  • AWS VPC Flow Logs - Added AWS VPC Flow Log support to include all flow records through v7.

hashtag
Fixes

  • SNMP Enrichment - Fixed an issue where the Flow Collector could fail to enrich flow records with SNMP data from SNMPv3 devices.

  • NetIntel - Fixed an issue where downloading the NetIntel dataset could fail due to insufficient timeout.

hashtag
7.5.1 - November 15, 2024

hashtag
Fixes

  • Metrics - Fixed an issue where duplicate metric registration can cause a panic in the NetObserv Flow collector.

hashtag
7.5.0 - November 8, 2024

hashtag
Updates

  • Docker Installation - Added a new volume mount point to support data persistence for Docker installations. This enables the NetObserv Flow Collector to retain data across container restarts. For more information, see the Upgrade to 7.5 guide.

  • Sample Rate - Added support for calculating flow sample rate from sampling packet interval and space found in an option record.

  • Flow Data Path - Added a new configuration, EF_FLOW_DATA_PATH, to specify the path where NetObserv Flow will store data files that need to be persisted between runs.

  • Autonomous System Enrichment - Added support enriching Autonomous System data from the NetIntel dataset.

hashtag
Fixes

  • Metadata Enrichment - Fixed an issue where flows were not being consistently enriched with metadata associated to the most specific IP CIDR or range.

  • Support Bundle - Fixed an issue where the original file modification date was not preserved when creating support bundles.

  • Versa AppID - Fixed an issue where application information from Versa devices were not enriched correctly.

hashtag
7.4.0 - October 25, 2024

hashtag
Updates

  • Sample Rate - Added IP CIDR and range support for user-defined sample rates.

  • Metrics - Added system-level and process-level Prometheus metrics for memory, CPU, and disk usage.

  • CLI Tool - Allow netobserv commands to read license parameters from the configuration file.

  • stdout Output - Introduced a new configuration, EF_OUTPUT_STDOUT_ALLOWED_RECORD_TYPES, to control which record types are sent to stdout. Supported values include: as_path_hop, flow_option, flow, ifa_hop, telemetry, and metric. If left empty, all types will be allowed by default.

hashtag
Fixes

  • SNMP Enrichment - Fixed a panic condition that could occur when enriching flows with SNMP data.

  • Fixed an issue where logs were dropped when the app panics and restarts.

hashtag
7.3.2 - October 11, 2024

hashtag
Updates

  • Extended field support - Added support for NetQuest JA4 IPFIX records

hashtag
7.3.1 - October 1, 2024

hashtag
Fixes

  • AS Enrichment - Fixed potential panic if Autonomous System data was enriched as an array instead of single value.

hashtag
7.3.0 - September 24, 2024

hashtag
Updates

  • Packet Parser - Flow Collector: Improved Infiniband support to handle additional OpCodes.

hashtag
Fixes

  • Packet Parser - Flow Collector: Fixed an issue that cause Infiniband-related boolean values to be indexed incorrectly.

  • sFlow - Flow Collector: system.ip.addr not set correctly for sFlow records.

  • Elasticsearch Output - SNMP Collector: Auto-generated component template now has the correct "version" value.

  • Logging - The warning for RiskIQ-related environment variable no longer triggers for non-ElastiFlow RiskIQ environment variables.

hashtag
7.2.2 - September 6, 2024

hashtag
Fixes

  • Fixed a panic condition that could happen if IPFIX or sFlow packets contained incorrect payload length values.

hashtag
7.2.1 - August 21, 2024

hashtag
Fixes

  • Output - Fixed a race condition which would cause a concurrent map write issue and stop the collector when there was high throughput.

hashtag
7.2.0 - August 16, 2024

hashtag
New Features

  • Metrics - Added new functionality to gather and send all Prometheus metrics to outputs. This feature can be enabled by adding metric to EF_OUTPUT_ELASTICSEARCH_ALLOWED_RECORD_TYPES, EF_OUTPUT_OPENSEARCH_ALLOWED_RECORD_TYPES, or EF_OUTPUT_KAFKA_ALLOWED_RECORD_TYPES.

  • RoCEv2 support (TECHNOLOGY PREVIEW) - Added support for ingesting RoCEv2 flow data.

hashtag
Updates

  • Metrics - Added a record_type label to output metrics in order to provide more granularity into the records being pushed to downstream outputs.

  • Docker Container - Upgraded base image to ubuntu:24.04.

hashtag
Fixes

  • Docker Container - The Docker container now includes default configuration files and directories.

  • Fixed an issue where inconsistent attribute tagging occurred in flow records when using nested rules in the EF_PROCESSOR_ENRICH_IPADDR_METADATA_USERDEF_PATH file.

  • Fixed an issue where sFlow counter records were processed despite EF_PROCESSOR_DECODE_SFLOW_COUNTERS_ENABLE being set to false.

  • Fixed an issue where sFlow counter records were returning a sample type not supported error for valid counter samples when EF_PROCESSOR_DECODE_SFLOW_COUNTERS_ENABLE was being set to false.

  • Fixed an issue where proxy settings within NetObserv were not applied correctly, resulting in failed downloads of the NetIntel data set for flow enrichment when a proxy is being used.

hashtag
7.1.2 - August 8, 2024

hashtag
Fixes

  • Fixed an issue where all data was being written to one TSDS datastream when TSDS is enabled for Elasticsearch.

  • Fixed an issue where the SNMP poller ignores EF_INPUT_SNMP_POLLER_ERROR_HANDLING and stops object polling when a device returns an empty object.

hashtag
7.1.1 - July 17, 2024

hashtag
Fixes

  • Fixed an issue where NetIntel environment variables were not being passed down correctly.

hashtag
7.1.0 - July 16, 2024

hashtag
New Features

  • NetIntel dataset for air-gapped environments - A new cli tool to download the NetIntel dataset for use in air-gapped environments is available for download.

  • SNMP Device File Encryption - Added support for encrypting SNMP device files. This will protect device file credentials using age encryption while offering a secure user-friendly interface for managing said files. For more information about configuring this, please see Device File Encryption.

hashtag
Updates

  • NetObserv Flow Logging - Improved log message for when a IPFIX or NetFlow9 template is not found.

  • NetObserv SNMP Metrics - New Prometheus metrics provide deeper insight into internal collector processes (SNMP metrics).

hashtag
Fixes

  • Fixed an issue where the same reference of a record could be mutated by multiple namespaced outputs.

hashtag
7.0.2 - June 28, 2024

hashtag
Fixes

  • Fixed an issue where the flow collector would not start if port 443 was blocked, even if the Amazon Firehose HTTP Endpoint was not enabled.

hashtag
7.0.1 - June 21, 2024

hashtag
New Features

  • AWS VPC Flow Logs via AWS Firehose - A new HTTP endpoint has been added to collect VPC flow logs directly from Amazon Firehose. For more information about configuring this, please see AWS Firehose Input.

  • NetObserv SNMP Device Status - The availability of devices is evaluated based on the combination of ICMP and SNMP reachability. A new field, system.avail.state.name, has been added which indicates the result of this evaluation.

hashtag
Updates

  • Community License - The Community tier license now supports application identifies provided in the flow records from devices with such capabilities.

hashtag
Fixes

  • The SNMP Definitions tar file is no longer truncated. This addresses the enum error occurring when EF_INPUT_SNMP_PERSIST_ENABLE is set to true.

  • A panic condition has been fixed, which occurred when devices had been removed from the configuration definitions and /snmp/apply-definitions was called.

  • A panic condition has been fixed, which occurred when devices reported an unsigned integer value instead of the expected signed integer for certain SNMP data types.

hashtag
Security

  • Security Upgrade - Updated libc from 5.15.0-107.117 to 5.15.0-112.122 to patch "High" CVEs.

hashtag
7.0.0 - June 4, 2024

hashtag
Breaking Changes

  • RiskIQ EOL - Since RiskIQ will reach its end-of-life on June 30th 2024, NetObserv v7 will no longer support threat enrichment through RiskIQ. NetIntel threat enrichment will replace RiskIQ and is enabled by default.

  • Licensing - The NetObserv Basic License now supports all 7400+ vendor specific flow fields (previously only supported 1020 fields). The Community License now supports 500 flow records/second per organization. If you are using a Community License and need a higher flow rate, please use this formarrow-up-right to sign up for a free 1-year Basic License.

  • AWS VPC Flow logs - To set us up to deliver more flexible ways to retrieve flow logs (e.g. through Firehose) we needed to make some changes to the config fields for AWS VPC flow log enrichment. You need to change your configuration options to the new format to ensure you continue to receive VPC flow logs.

hashtag
New Features

  • NetIntel Threat Intelligence - NetObserv now uses ElastiFlow NetIntel for populating the information on the IP Reputation dashboard.

  • NetIntel Online Application and Cloud Service Identity - NetObserv now uses ElastiFlow NetIntel to enrich public IP addresses with online application and Cloud Service Identity information on the Top-N -> Apps dashboard.

  • AWS VPC Flow Logs - Added support for S3 buckets using data sent from Amazon Firehose, as well as custom log formats when using Firehose data. For more information about configuring this, please see AWS VPC Flow logs.

  • User-defined mapping for IPs used for SNMP polling - Allows users to poll SNMP info for a device on a different IP address than it sends flow records from.

hashtag
Updates

  • Product Naming - The ElastiFlow Unified Flow Collector is now called NetObserv Flow

  • Product Naming - The ElastiFlow Unified SNMP Collector is now called NetObserv SNMP

  • Product Naming - For anything that applies to both flow and snmp, we will simply refer to NetObserv

PreviousElastiFlow DocumentationNextNetObserv Flow

Last updated

Was this helpful?