# Changelog ## 7.25.0 - May 7, 2026 #### Features * **Elasticsearch Output** - Added `ignore_malformed` to index templates for TSDS output. #### Fixes * **NetObserv Flow** - fix sample rate determination for all scenarios. * **Elasticsearch Output** - log an additional error when the bulk api returns 200 but has error in response payload. ## 7.24.0 - Apr 28, 2026 #### Features * **NetObserv Flow** - For userdefined metadata feature ([User-Defined Metadata (UDM) for Addresses](/flowcoll/configuration/enrichment-options/ip-address-enrichment/enrich_ip_udm.md)), added 'contexts' support. Now you can configure NetObserv Flow, for example, to only add some enrichment to the 'exporter' fields. #### Fixes * **NetObserv Flow** - improved error logging for Azure VNET input. ## 7.23.0 - Apr 17, 2026 #### Features * **NetObserv Flow** - packet parser supports ERSPAN headers. * **NetObserv Flow** - supports latest Calix information elements. #### Fixes * **NetObserv SNMP** - fixed IP metadata enrichment. ## 7.22.0 - Mar 20, 2026 {% hint style="info" %} NetObserv SNMP changed and improved how polling intervals work. The new `poll_intervals` configuration option will override `poll_interval` . If you have customized any `snmp` definition files, you should consider updating them to include the new `type` object attribute. {% endhint %} #### Features * **NetObserv SNMP: Smart Object Polling** - NetObserv SNMP allows collection to be fine-tuned by setting polling intervals for different types of SNMP objects. Instead of using the same polling interval for all SNMP objects, NetObserv can poll less frequently for object types that do not change as frequently. * See the configuration documentation for more details: * No action should be required. Starting with `7.22.0`, NetObserv will automatically use the smarter polling defaults. * **NetObserv (All) -** New fields added: `collector.host.name` and `collector.ip.addr` . * `collector.host.name` is the hostname of the system running the NetObserv collector. * `collector.ip.addr` is the IP address of the system running the NetObserv collector. For systems with multiple IP addresses, it will be the IP of the interface through which the system reaches its default gateway. * **NetObserv SNMP -** Added additional SNMP MIB support: #### Fixes * **NetObserv Flow -** NetIntel enrichment no longer overrides `app.name`, `app.category.name`, and `app.subcategory.name` when those fields are already set from the received flow records. * **NetObserv SNMP -** Fixed an issue where "degraded" device status checks did not always work. Also added error and warning logs so that any underlying errors (such as socket permission errors) are displayed in logs for troubleshooting. * This issue was resolved by adding the CAP\_NET\_RAW permission to the service file. NetObserv SNMP must have permission to create/send ping requests to detect 'degraded' status. In some Linux distributions, that permission is not automatic. CAP\_NET\_RAW grants the process the capability to use RAW and PACKET sockets and to bind to any address for transparent proxying. ## 7.21.4 - Mar 13, 2026 #### Features * **NetObserv Flow -** Added support for additional IPFIX information elements. ## 7.21.3 - Mar 13, 2026 #### Fixes * **OTel Trace Input -** Fixed flow\.direction.id and flow\.direction.name fields to be correct. ## 7.21.2 - Mar 12, 2026 #### Fixes * **Azure VNet Input -** Export type labels for Azure VNet Logs are now correctly set, resolving an issue where the "Flow Records" dashboard failed to render the flow record source for this input. * **OTel Trace Input -** Spans received by the OTel Trace Input are now attributed with an export type of "OTel Flow Span", resolving an issue where the "Flow Records" dashboard failed to render the flow record source for this input. * **OTel Trace Input -** Host metadata is now resolved from OTLP resource attributes for records sourced by the OTel Trace Input, fixing a number of display issues across several dashboards when viewing these records. ## 7.21.1 - Feb 9, 2026 #### Fixes * **OTLP Input -** Resolved an issue where the readiness endpoint would incorrectly report a failure when the OTLP input was enabled. ## 7.21.0 - Feb 3, 2026 {% hint style="warning" %} #### Warning If you use the [namespace ability in your configuration](https://docs.elastiflow.com/flowcoll/configuration/outputs#namespace-configuration), you can no longer use namespaced output instances *and* non-namespaced output instances at the same time. For example, if you are using Elasticsearch output, and you have configuration that looks like this: ``` EF_OUTPUT_ELASTICSEARCH_ENABLE=true # global configuration EF_NAMESPACE1_OUTPUT_ELASTICSEARCH_ENABLE=true # namespace configuration ``` NetObserv will throw an error now. Previously there was a bug that allowed this invalid configuration. {% endhint %} #### Features * **NetObserv Configuration -** You can now encrypt some NetObserv configuration files on disk; for full details see [Encrypting Configuration Files](/flowcoll/configuration/encrypting-configuration-files.md). * **OTel Trace Input -** Added support for OpenTelemetry Protocol (OTLP) trace ingestion with namespace-based configuration. Supports both gRPC and HTTP ingestion; for full details on configuration see [Trace](/flowcoll/configuration/inputs/otel/trace.md). * **OTel Trace Output -** Added support for OpenTelemetry Protocol (OTLP) trace exporting with namespace-based configuration. Supports exporting in both gRPC and HTTP formats; for full details on configuration see [Trace](/flowcoll/configuration/inputs/otel/trace.md). * **NetObserv Flow** **-** added support for deriving flow records from dataLinkFrameSection (IANA IE 315) * **NetObserv Flow** **-** added support for GENEVE tunnels when parsing sFlow, IFA and dataLinkFrameSection sampled headers. #### Updates * **Kafka Output** - corrected a possible deadlock condition when using a TLS connection to brokers. * **OTLP Output -** some fields (like 'container.name') are replaced with source/destination fields (like 'source.container.name' and 'destination.container.name'). #### Fixes * **Outputs -** NetObserv will correctly throw an error if you misconfigure namespaces in configuration. * **NetObserv Flow** **-** Fixed an issue with the caching of some option data templates which could cause a panic in some scenarios. * **NetObserv Flow -** NetObserv will now ignore, within flow records, extra fields where ip address is set to "zero value" (0.0.0.0 or ::0). Previously it would set an ip address field to the zero address and ignore real values. ## 7.20.0 - December 11, 2025 #### Updates * **Kafka Output** - Added support for encrypted private keys when using mTLS. See EF\_OUTPUT\_KAFKA\_TLS\_KEY\_PASSPHRASE for usage. * **SNMP Definitions** - Released [snmp v1.21.0](https://github.com/elastiflow/snmp/releases/tag/v1.21.0) for additional MIB support (PowerNet-MIB::upsAdvTest). #### Fixes * **NetObserv Flow** - Fixed a bug where ports 9411 and 9412 were claimed by NetObserv process when they should not have been. #### Notes If you are upgrading NetObserv SNMP, you will need to follow the Manual Upgrade Steps for SNMP definition files. ## 7.19.3 - November 21, 2025 #### Updates * **SNMP Trap Rules** - Released [snmp v1.20.0](https://github.com/elastiflow/snmp/releases/tag/v1.20.0) for additional SNMP Trap support. #### Fixes * **SNMP Poll Schedule Persistence** - Fixed an issue where poll schedules were not correctly persisted across collector restarts when persistence was enabled (`EF_INPUT_SNMP_PERSIST_ENABLE=true`). * **Collector Process Exit** - Fixed an issue where pressing Ctrl+C did not properly exit the NetObserv collector process. ## 7.19.2 - November 6, 2025 #### Fixes * **OpenSearch Output** - Fixed an issue where unused and unnecessary indices were being created on startup. ## 7.19.1 - November 4, 2025 #### Fixes * **NetObserv** - Fixed an issue which could prevent NetObserv from booting correctly. * **OpenSearch Output** - Fixed an issue where retry configuration was not respected. ## 7.19.0 - October 31, 2025 #### Updates * **SNMP Trap Rules** - Released [snmp v1.19.0](https://github.com/elastiflow/snmp/releases/tag/v1.19.0) for additional SNMP Trap support. #### Fixes * **Metadata Enrichment** - Fixed an issue where the API to manage user-defined metadata would panic. #### Notes If you are upgrading NetObserv SNMP Trap, you will need to follow the [Manual Upgrade Steps for SNMP definition files.](/additional-resources-reference-articles/faq/def_download.md) ## 7.18.1 - October 17, 2025 #### Fixes * **OpenSearch Output** - Improved logging. Whenever username/password is incorrect, you will now see a more full message saying 'Unauthorized'. ## 7.18.0 - October 15, 2025 #### New Features * **NetObserv SNMP Trap** - Added support for rules that handle traps where the enterprise of the trap is unsupported by any other rules. * **NetObserv SNMP Trap** - Added bloblang functions `snmp_int_display_hint()` and `snmp_octet_display_hint()` for transforming raw integer-based and `OCTET STRING`-based varbind values, respectively. #### Updates * **SNMP Trap Rules** - Released [snmp v1.18.0](https://github.com/elastiflow/snmp/releases/tag/v1.18.0) for additional SNMP Trap support. Includes the following: * FORTINET-CORE-MIB * FORTINET-FORTIANALYZER-MIB * FORTINET-FORTIGATE-MIB * FORTINET-FORTIMAIL-MIB * FORTINET-TRAP-MIB (incl. FORTIOS-300-MIB as both send same enterprise) * JUNIPER-DOM-MIB * JUNIER-LDP-MIB * STORMSHIELD-ALARM-MIB * UCD-SNMP-MIB #### Fixes * **Elasticsearch Output** - Fixed issue where the configuration options for max retries and retry backoff were swapped. #### Notes If you are upgrading NetObserv SNMP Trap, you will need to follow the [Manual Upgrade Steps for SNMP definition files](https://www.elastiflow.com/docs/kb/install/def_download). ## 7.17.0 - October 2, 2025 #### New Features * **NetObserv SNMP** - Availability checks have been updated to include the round-trip latency between the collector and the device. Additionally availability testing is now based on the devices defined in the SNMP configuration definitions, instead of the devices which have been successfuly polled during object discovery. This ensures that devices that are down during object discovery will still be polled with availability checks. * **NetObserv SNMP** - When polling the `IF-MIB:ifEntry` SNMP definition, the collector will now calculate the bandwidth utilization of the network interface and add this to the records. These fields are `netif.bandwidth.util.in`, `netif.bandwidth.util.out` and `netif.bandwidth.util.total` and contain a 0-100 percentage value as a 64-bit floating point number. #### Updates * **Kafka Output** - Flush-related configuration options have been adjusted for better throughput. The minimum allowed value of these options has been decreased to `0` (unlimited) for improved configuration flexibility. * **SNMP Trap Rules** - Released [snmp v1.16.0](https://github.com/elastiflow/snmp/releases/tag/v1.16.0) for additional SNMP Trap support. #### Notes If you are upgrading NetObserv SNMP Trap, you will need to follow the [manual upgrade steps](/additional-resources-reference-articles/faq/def_download.md) to ensure that the additional SNMP Trap support is included. ## 7.16.0 - September 25, 2025 #### New Features * **Metadata Enrichment** - Added a REST/gRPC/connectrpc API for managing [user-defined metadata](https://www.elastiflow.com/docs/flowcoll/enrich_ip_udm). See the [API spec](https://www.elastiflow.com/docs/api_ref/enrich_ip_udm_api) for more details. This feature is *disabled* by default and can be enabled by setting the following configuration: EF\_PROCESSOR\_ENRICH\_IPADDR\_METADATA\_ENABLE. #### Updates * **Metadata Enrichment** - Improved the performance and scalability of metadata enrichment, allowing for a larger number of [user-defined metadata](https://www.elastiflow.com/docs/flowcoll/enrich_ip_udm). * **SNMP Definitions** - Released [snmp v1.15.0](https://github.com/elastiflow/snmp/releases/tag/v1.15.0) for additional MIB support. #### Fixes * **SNMP Device Autodiscovery** - Fixed a data race condition. #### Notes If you are upgrading NetObserv SNMP, you will need to follow the [Manual Upgrade Steps for SNMP definition files](/additional-resources-reference-articles/faq/def_download.md). ## 7.15.0 - September 18, 2025 #### Updates * **SNMP Trap Collector** - Added custom Bloblang functions for extracting SNMP fields from traps (see all custom functions [here](/trapcoll/configuration/processing-traps.md#custom-functions)). #### Fixes * **SNMP Trap Collector** - Fixed an issue where non-YAML files were being processed during definition validation. ## 7.14.1 - September 11, 2025 #### Fixes * **SNMP Device Autodiscovery** - Fixed an issue where the discovery process panics when a device is missing the `sysObjectID`. ## 7.14.0 - September 4, 2025 #### New Features * **NetObserv Flow** - Some flow sources will use the source or destination layer-4 port IEs to carry the combined ICMP Type/Code value when the layer-4 protocol is ICMP or IPv6-ICMP. If the flow records for ICMP traffic do not otherwise contain the ICMP Type and Code directly, the layer-4 source and destination ports will be checked to see if they contain these values. * **SNMP Definitions** - Released [snmp v1.14.0](https://github.com/elastiflow/snmp/releases/tag/v1.14.0) to add additional MIB support: Bluecat, Digi, and Ubiquiti. #### Fixes * **SNMP Device Autodiscovery** - Fixed an issue where devices with more than one IP address associated with it were discovered multiple times. * **/livez** - Fixed /livez status API for all NetObserv products. It will correctly return 200 when the process starts * **/readyz** - Fixed /readyz status API for all NetObserv products. It will correctly return 200 when the process is ready to receive input, and it will remain 200 thereafter. #### Notes If you are upgrading NetObserv SNMP, you will need to follow the [Manual Upgrade Steps for SNMP definition files](/additional-resources-reference-articles/faq/def_download.md). ## 7.13.1 - August 13, 2025 #### Fixes * **NetObserv SNMP** - Improved handling of scenarios where the configured `syntax` of an object attribute doesn't match the data type of values returned by the device. This avoids possible panic conditions. #### Security * **CVE-2025-54801** - Updated `github.com/gofiber/fiber/v2` from `2.52.6` to `2.52.9`. * **CVE-2025-22868** - Updated `golang.org/x/oauth2` from `0.25.0` to `0.27.0`. * **CVE-2025-8556** - Updated `github.com/cloudflare/circl` from `1.3.9` to `1.6.1`. ## 7.13.0 - August 6, 2025 #### New Features * **NetObserv SNMP TSDS Support** - NetObserv SNMP's Elasticsearch output now supports TSDS. See [TSDS configuration docs](/flowcoll/configuration/outputs/output_elasticsearch/elastic-configuration-options.md) for more details. #### Fixes * **NetObserv Flow** - IP enrichment will now ignore empty IP addresses (`0.0.0.0` and `::`) instead of outputting incorrect values. ## 7.12.0 - July 25, 2025 #### New Features * **SNMP Device Autodiscovery (TECHNOLOGY PREVIEW)** - Added device autodiscovery feature. You can view more info in our [*Autodiscovery for Devices* guide](/snmpcoll/configuration/def_devices/autodiscovery.md) * **Storage Optimization** - Added storage optimization support for NetObserv SNMP when using Elasticsearch or OpenSearch outputs. This feature is enabled by default and can be toggled using the following configurations: EF\_OUTPUT\_ELASTICSEARCH\_STORAGE\_OPTIMIZATION\_ENABLE and EF\_OUTPUT\_OPENSEARCH\_STORAGE\_OPTIMIZATION\_ENABLE. See [this guide](/additional-resources-reference-articles/faq/storage_optimization.md) for more information on how to set up storage optimization. #### Updates * **AWS VPC Flow Logs** - Added AWS VPC Flow Log support to include all flow records through v8. #### Fixes * **SNMP Definitions** - Released [snmp v1.12.0](https://github.com/elastiflow/snmp/releases/tag/v1.12.0) to add definition validation via the `make validate` command. * **NetObserv Flow** - Updated the default value for `EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_AS_PREFIX_PRECISION` previously this was set to `all`, which allowed for all AS summary routes to be added during enrichment. The new default value is `exact`, which only adds the most specific AS summary route for each IP address. This change improves performance and reduces the size of the enriched data. If you want to revert to the previous behavior, you can set `EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_AS_PREFIX_PRECISION` to `all`. #### Notes If you are upgrading NetObserv SNMP, you will need to follow the [Manual Upgrade Steps for SNMP definition files](/additional-resources-reference-articles/faq/def_download.md). ## 7.11.1 - June 12, 2025 #### Fixes * **Kafka Output** - Fixed an issue where the collector would fail to send records to a Kafka output that has mTLS authentication enabled. ## 7.11.0 - June 10, 2025 #### New Features * **Storage Optimization** - Added support for a new storage optimization and query performance improvement feature for Elasticsearch and OpenSearch outputs when running the **NetObserv Flow**. This feature is enabled by default and can be toggled using the following configurations: EF\_OUTPUT\_ELASTICSEARCH\_STORAGE\_OPTIMIZATION\_ENABLE and EF\_OUTPUT\_OPENSEARCH\_STORAGE\_OPTIMIZATION\_ENABLE. See [this guide](/additional-resources-reference-articles/faq/storage_optimization.md) for more information on how to set up storage optimization. #### Updates * **NetObserv SNMP** - Added support for processing object indexes that may have Route Distinguisher (RD) information prefixed to an IPv4 or IPv6 address. This update adds `IpAddressRoutePrefix` as a [supported syntax](/snmpcoll/configuration/snmp-definition-files/def_objects.md#snmpv2-smi-rfc-2578-types) in the SNMP object definition. * **NetObserv Flow** - Updated support for the Pensando DPU to include the latest IEs. * **NetObserv Flow** - Enhanced the `tcpOptions` (IE 209) translator to handle encoding for both RFC 1502 and RFC Errata 2946. * **Elasticsearch/OpenSearch Output** - Updated the default value for index refresh interval to `20s` (see the EF\_OUTPUT\_OPENSEARCH\_INDEX\_TEMPLATE\_REFRESH\_INTERVAL and EF\_OUTPUT\_ELASTICSEARCH\_INDEX\_TEMPLATE\_REFRESH\_INTERVAL configurations). This update improves the efficiency of the index refresh process with the new storage optimization feature. * **OpenSearch Output** - Updated the default value for index period to `rollover` (see the EF\_OUTPUT\_OPENSEARCH\_INDEX\_TEMPLATE\_PERIOD configuration). This update aligns the index period with the default value for Elasticsearch. * **SNMP Definitions** - Released version 1.9 of [snmp](https://github.com/elastiflow/snmp) to support the following object definitions: * Cisco UCS * Riverbed * PowerNet-MIB * NETAPP-MIB * CISCO-VTP-MIB * CloudGenix * Isilon * Rubrik * Pure Storage * IETF and Cisco dial control If you are upgrading NetObserv SNMP, you will need to follow the [Manual Upgrade Steps for SNMP definition files](/additional-resources-reference-articles/faq/def_download.md). If you are upgrading NetObserv SNMP Trap, and you also use our [Kibana SNMP Trap dashboard](https://raw.githubusercontent.com/elastiflow/elastiflow_for_elasticsearch/refs/heads/master/kibana/snmp_traps/kibana-8.14.x-snmp-traps-codex.ndjson), you will need to reimport the dashboard. You can follow our instructions for [dashboard import.](/trapcoll/configuration/outputs/output_elasticsearch.md) #### Fixes * **OpenSearch Output** - Fixed an issue where the OpenSearch output was not correctly handling the EF\_OUTPUT\_OPENSEARCH\_INDEX\_SUFFIX configuration, which would lead to incorrect index template naming. * **NetObserv Flow** - Fixed an issue with the flow throttler (that limits flows per second to the licensed maximum) using too much CPU when you exceed your licensed maximum while in recovery mode after a burst. ## 7.10.3 - May 16, 2025 #### Fixes * **TSDS** - Fixed an issue where non TSDS indexes were being created when TSDS was enabled for Elasticsearch. * **Elasticsearch Output** - The configuration EF\_OUTPUT\_ELASTICSEARCH\_INDEX\_SUFFIX no longer breaks rollovers in Elasticsearch. * NOTICE: if you have some NetObserv instances that use a suffix *and* some that do not, you might have to set EF\_OUTPUT\_ELASTICSEARCH\_INDEX\_TEMPLATE\_OVERWRITE to 'true' when upgrading NetObserv to guarantee that the bugfix takes effect. * If you use `EF_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX`, any index templates NetObserv creates now will now have a priority of 101. * **SNMP Definitions** - Released version 1.8 of [snmp definition files](https://github.com/elastiflow/snmp). * Added support for Cisco SIP MIBs. * Added support for Netscaler MIBs. If you are upgrading NetObserv SNMP or NetObserv SNMP Trap, you will need to follow the [Manual Upgrade Steps for SNMP definition files](/additional-resources-reference-articles/faq/def_download.md). #### Security * **CVE-2024-40635** - Updated `github.com/containerd/containerd` from `1.7.18` to `1.7.27`. * **CVE-2025-22869** - Updated `golang.org/x/crypto` from `0.31.0` to `0.36.0`. * **CVE-2025-22870** - Updated `golang.org/x/net` from `0.33.0` to `0.38.0`. * **CVE-2025-22872** - Updated `golang.org/x/net` from `0.33.0` to `0.38.0`. * **CVE-2025-27144** - Updated `github.com/go-jose/go-jose/v3` from `3.0.3` to `3.0.4`. * **CVE-2025-30204** - Updated `github.com/golang-jwt/jwt/v4` from `4.5.1` to `4.5.2`. * **CVE-2025-30204** - Updated `github.com/golang-jwt/jwt/v5` from `5.2.1` to `5.2.2`. ## 7.10.2 - May 2, 2025 #### Fixes * **SNMP Collector** - Fixed an issue where the SNMP Collector used a significant amount of memory when polling a large number of devices. ## 7.10.1 - April 25, 2025 #### Fixes * **SNMP Trap Device Licensing** - Fixed an issue where the SNMP Trap Collector was counting devices by IP and port instead of by IP only. This caused the device count to be higher than expected, potentially leading to licensing issues. * **SNMP Trap Listener** - Fixed an issue where the SNMP Trap Collector was not correctly handling the Agent Address field in the SNMPv1 trap header. This led to incorrect IP addresses being recorded in the trap records. * **SNMP Definitions** - Released version 1.7 of [snmp](https://github.com/elastiflow/snmp) to address the following fixes * **SNMP** - Fixed various `dot3Stats` OIDs. * **SNMP Trap** - Updated a parsing rule in `ciscoConfigManMIBNotifications`. A variable binding is optional, but was treated as mandatory. If you are upgrading NetObserv SNMP or NetObserv SNMP Trap, you will need to follow the [Manual Upgrade Steps for SNMP definition files](/additional-resources-reference-articles/faq/def_download.md). ## 7.10.0 - April 17, 2025 #### Updates * **SNMP Polling** - Added support for limiting the number of concurrent polls to a device. This can be configured for each device by setting the max\_concurrent\_polls field in the device definition file to the desired value. #### Security * **CWE-25** - Updated `filippo.io/age` from `1.2.0` to `1.2.1`. ## 7.9.0 - March 27, 2025 #### Updates * **SNMP Polling** - Added support for enriching Cisco QoS policy objects with the following fields: `ifName`, `cbQosPolicyMapName`, `cbQosCMName`, and `cbQosMatchStmtName`. Enable this enrichment by setting the cisco\_qos\_enabled field to `true` in the device's definition. #### Fixes * **Azure VNet Flow Logs** - Fixed an issue where the flow collector would not process Azure flow logs if the user had configured a different Resource Group than the default. * **Azure VNet Flow Logs** - Fixed an issue where Blob events were not being able to be processed by ignoring all events that are not `Microsoft.Storage.BlobCreated`. * **SNMP Polling** - Fixed an issue where Error Index was not being interpreted correctly as a 1-based index. ## 7.8.0 - March 12, 2025 #### New Features * **Azure VNet Flow Logs** - Added support for collecting VNet flow logs from Azure. See [configuration guide](/flowcoll/configuration/inputs/input_azure_vnet.md) for more details. #### Updates * **Autonomous System Enrichment** - Added further Autonomous system (AS) field indexing and the EF\_PROCESSOR\_ENRICH\_IPADDR\_NETINTEL\_AS\_PREFIX\_PRECISION configuration to allow greater enrichment controls. * **NetIntel Enrichment** - Updated NetObserv flow to download a compressed version of the NetIntel database for greater efficiency. * **Public GPG Key Update** - ElastiFlow's public GPG key has been replaced, using SHA‑256 instead of SHA‑1. Existing installations remain compatible, but users in environments that disable SHA‑1 (e.g., FIPS environments or Rocky 9 installations) should reimport the new key to enable support for the updated algorithm. To reimport the new key, follow the same steps as before provided in the [installation documentation](/flowcoll/installation/install_linux.md#verify-the-package). ## 7.7.2 - February 18, 2025 #### Fixes * **SNMP Collector** - Fixed an issue where the SNMP collector would panic when polling objects with `ObjectIdentifier` syntaxes. ## 7.7.1 - February 14, 2025 #### Updates * **AWS VPC Flow Logs via AWS Firehose** - Added a new configuration, EF\_AWS\_VPC\_FLOW\_LOG\_FIREHOSE\_HTTP\_PORT, to customize the HTTP port that the flow collector listens on for incoming flow logs from Amazon Firehose. #### Fixes * **Flow Collector** - Fixed an issue where path and telemetry indices were not being created correctly when TSDS was enabled for Elasticsearch. * **Splunk Output** - Fixed an issue where the EF\_OUTPUT\_SPLUNK\_HEC\_CIM\_ENABLE configuration was not being respected and Splunk CIM fields were not used. * **Flow Collector** - Fixed an issue where flows were not being enriched correctly with AS fields. #### Security * **CVE-2022-28948** - Updated `gopkg.in/yaml.v3` from `3.0.0-20210107192922-496545a6307b` to `3.0.0`. * **CVE-2023-48795** - Updated `golang.org/x/crypto` from `0.11.0` to `0.31.0`. * **CVE-2024-45337** - Updated `golang.org/x/crypto` from `0.11.0` to `0.31.0`. * **CVE-2023-3978** - Updated `golang.org/x/net` from `0.12.0` to `0.33.0`. * **CVE-2023-39325** - Updated `golang.org/x/net` from `0.12.0` to `0.33.0`. * **CVE-2023-44487** - Updated `golang.org/x/net` from `0.12.0` to `0.33.0`. * **CVE-2023-45288** - Updated `golang.org/x/net` from `0.12.0` to `0.33.0`. * **CVE-2024-45338** - Updated `golang.org/x/net` from `0.12.0` to `0.33.0`. ## 7.7.0 - February 3, 2025 #### New Features * **NetObserv SNMP Trap Collector** - Added a new SNMP Trap Collector to the NetObserv suite. The SNMP Trap Collector is a turnkey solution for collecting, processing, and enriching SNMP traps from network devices. For more information, see the [SNMP Trap Collector Introduction](/trapcoll.md). #### Updates * **Maxmind Enrichment** - Improved the performance of Maxmind GeoIP and ASN enrichment. * **TSDS** - Added metric support for TSDS data streams in Elasticsearch outputs. To enable sending metrics to TSDS data streams ensure EF\_OUTPUT\_ELASTICSEARCH\_TSDS\_ENABLE is set to true and EF\_OUTPUT\_ELASTICSEARCH\_ALLOWED\_RECORD\_TYPES includes `metric`. ## 7.6.0 - January 21, 2025 #### Updates * **License** - Added the following license related configurations: * [EF\_LICENSE\_KEY](/flowcoll/configuration/config_gen/license.md#ef_license_key) (replaces `EF_FLOW_LICENSE_KEY` and `EF_SNMP_LICENSE_KEY`, marked for deprecation). * [EF\_LICENSE\_FLOW\_RECORDS\_PER\_SECOND](broken://pages/M4KHqREHB94D8jMwCIZx#ef_license_flow_records_per_second) (replaces `EF_FLOW_LICENSED_UNITS`, marked for deprecation). * [EF\_LICENSE\_TELEMETRY\_HOSTS](/snmpcoll/configuration/general-configuration/license.md#ef_license_telemetry_hosts). * **Flow Collector Metrics** - Added a new informational metric to the flow collector to provide clarity on the maximum flow records per second that the collector is provisioned for according to the license: [license\_flow\_records\_per\_second](/flowcoll/overview/metrics.md#license_flow_records_per_second). * **SNMP Collector Metrics** - Added two new informational metrics to the SNMP collector to provide clarity on the maximum number of SNMP devices and objects that can be polled according to the license: [license\_telemetry\_hosts](/snmpcoll/api-reference-overview/metrics.md#license_telemetry_hosts) and [license\_telemetry\_objects](/snmpcoll/api-reference-overview/metrics.md#license_telemetry_objects). * **Metrics** - Renamed the `license_units` metric to `license_info` to better reflect the information it provides: license\_info. * **Outputs** - Introduced the following configurations for Splunk, Cribl, and generic http outputs to control which record types are sent to stdout. Supported values include: `as_path_hop`, `flow_option`, `flow`, `ifa_hop`, `telemetry`, `metric`, and `log`. If left empty, all record types will be sent to the output. * [EF\_OUTPUT\_SPLUNK\_HEC\_ALLOWED\_RECORD\_TYPES](/flowcoll/configuration/outputs/output_splunk_hec.md#ef_output_splunk_hec_allowed_record_types) * [EF\_OUTPUT\_CRIBL\_ALLOWED\_RECORD\_TYPES](/flowcoll/configuration/outputs/output_cribl.md#ef_output_cribl_allowed_record_types) * [EF\_OUTPUT\_GENERIC\_HTTP\_ALLOWED\_RECORD\_TYPES](/flowcoll/configuration/outputs/output_http.md#ef_output_generic_http_allowed_record_types) #### Fixes * **RPM and FIPs** - RPM package for NetObserv will now work correctly on FIPs compliant RHEL machines. * **sFlow** - Fixed an issue that could cause fields to not be successfully parsed from an sFlow `sampled_header` depending on where the packet sample was truncated. * **SNMP Poller** - Fixed an issue where collectors would start without users accepting our license agreement. When you upgrade and have not accepted the license agreement, you may encounter the following error: ```shell snmpcoll/main.go:62 exiting because of a license error {"code": "license/error", "reason": "license configuration: license agreement not accepted. Please update 'EF_LICENSE_ACCEPTED'"} ``` To resolve this, ensure `EF_LICENSE_ACCEPTED` is set to `true` in your configuration. ## 7.5.3 - December 4, 2024 #### Fixes * **Metrics collection** - Reduced log level from `error` to `debug` if NetObserv can't access system metrics like CPU or available hard drive space. * **SNMP poller panic** - Fixed a bug that had SNMP poller stop working when some SNMPv2 devices sent their DisplayString in an unexpected format. * **API\_IP configuration** - Fixed a bug where NetObserv was still listening on all interfaces even though a specific IP address is set in the EF\_API\_IP configuration. * **Container** - Flow Collector container no longer requires mounting /var/lib/elastiflow/flowcoll just to run. ## 7.5.2 - November 22, 2024 #### Updates * **AWS VPC Flow Logs** - Added AWS VPC Flow Log support to include all flow records through v7. #### Fixes * **SNMP Enrichment** - Fixed an issue where the Flow Collector could fail to enrich flow records with SNMP data from SNMPv3 devices. * **NetIntel -** Fixed an issue where downloading the NetIntel dataset could fail due to insufficient timeout. ## 7.5.1 - November 15, 2024 #### Fixes * **Metrics** - Fixed an issue where duplicate metric registration can cause a panic in the NetObserv Flow collector. ## 7.5.0 - November 8, 2024 #### Updates * **Docker Installation** - Added a new volume mount point to support data persistence for Docker installations. This enables the NetObserv Flow Collector to retain data across container restarts. For more information, see the [Upgrade to 7.5](/additional-resources-reference-articles/faq/upgrade_7.5.md#docker-installation) guide. * **Sample Rate** - Added support for calculating flow sample rate from sampling packet interval and space found in an option record. * **Flow Data Path** - Added a new configuration, [EF\_FLOW\_DATA\_PATH](/flowcoll/configuration/config_gen/data_path.md#ef_flow_data_path), to specify the path where NetObserv Flow will store data files that need to be persisted between runs. * **Autonomous System Enrichment** - Added support enriching Autonomous System data from the NetIntel dataset. #### Fixes * **Metadata Enrichment** - Fixed an issue where flows were not being consistently enriched with metadata associated to the most specific IP CIDR or range. * **Support Bundle** - Fixed an issue where the original file modification date was not preserved when creating support bundles. * **Versa AppID** - Fixed an issue where application information from Versa devices were not enriched correctly. ## 7.4.0 - October 25, 2024 #### Updates * **Sample Rate** - Added IP CIDR and range support for user-defined [sample rates](/flowcoll/configuration/flow-processing/sampling.md#ef_processor_enrich_samplerate_userdef_path). * **Metrics** - Added system-level and process-level Prometheus metrics for memory, CPU, and disk usage. * **CLI Tool** - Allow netobserv commands to read license parameters from the configuration file. * **stdout Output** - Introduced a new configuration, [EF\_OUTPUT\_STDOUT\_ALLOWED\_RECORD\_TYPES](/flowcoll/configuration/outputs/output_stdout.md#ef_output_stdout_allowed_record_types), to control which record types are sent to stdout. Supported values include: `as_path_hop`, `flow_option`, `flow`, `ifa_hop`, `telemetry`, and `metric`. If left empty, all types will be allowed by default. #### Fixes * **SNMP Enrichment** - Fixed a panic condition that could occur when enriching flows with SNMP data. * Fixed an issue where logs were dropped when the app panics and restarts. ## 7.3.2 - October 11, 2024 #### Updates * **Extended field support** - Added support for NetQuest JA4 IPFIX records ## 7.3.1 - October 1, 2024 #### Fixes * **AS Enrichment** - Fixed potential panic if Autonomous System data was enriched as an array instead of single value. ## 7.3.0 - September 24, 2024 #### Updates * **Packet Parser** - Flow Collector: Improved Infiniband support to handle additional OpCodes. #### Fixes * **Packet Parser** - Flow Collector: Fixed an issue that cause Infiniband-related boolean values to be indexed incorrectly. * **sFlow** - Flow Collector: `system.ip.addr` not set correctly for sFlow records. * **Elasticsearch Output** - SNMP Collector: Auto-generated component template now has the correct "version" value. * **Logging** - The warning for RiskIQ-related environment variable no longer triggers for non-ElastiFlow RiskIQ environment variables. ## 7.2.2 - September 6, 2024 #### Fixes * Fixed a panic condition that could happen if IPFIX or sFlow packets contained incorrect payload length values. ## 7.2.1 - August 21, 2024 #### Fixes * **Output** - Fixed a race condition which would cause a concurrent map write issue and stop the collector when there was high throughput. ## 7.2.0 - August 16, 2024 #### New Features * **Metrics** - Added new functionality to gather and send all Prometheus metrics to outputs. This feature can be enabled by adding `metric` to EF\_OUTPUT\_ELASTICSEARCH\_ALLOWED\_RECORD\_TYPES, EF\_OUTPUT\_OPENSEARCH\_ALLOWED\_RECORD\_TYPES, or EF\_OUTPUT\_KAFKA\_ALLOWED\_RECORD\_TYPES. * **RoCEv2 support (TECHNOLOGY PREVIEW)** - Added support for ingesting `RoCEv2` flow data. #### Updates * **Metrics** - Added a `record_type` label to output metrics in order to provide more granularity into the records being pushed to downstream outputs. * **Docker Container** - Upgraded base image to `ubuntu:24.04`. #### Fixes * **Docker Container** - The Docker container now includes default configuration files and directories. * Fixed an issue where inconsistent attribute tagging occurred in flow records when using nested rules in the EF\_PROCESSOR\_ENRICH\_IPADDR\_METADATA\_USERDEF\_PATH file. * Fixed an issue where sFlow counter records were processed despite EF\_PROCESSOR\_DECODE\_SFLOW\_COUNTERS\_ENABLE being set to false. * Fixed an issue where sFlow counter records were returning a `sample type not supported` error for valid counter samples when EF\_PROCESSOR\_DECODE\_SFLOW\_COUNTERS\_ENABLE was being set to false. * Fixed an issue where proxy settings within NetObserv were not applied correctly, resulting in failed downloads of the NetIntel data set for flow enrichment when a proxy is being used. ## 7.1.2 - August 8, 2024 #### Fixes * Fixed an issue where all data was being written to one TSDS datastream when TSDS is enabled for Elasticsearch. * Fixed an issue where the SNMP poller ignores EF\_INPUT\_SNMP\_POLLER\_ERROR\_HANDLING and stops object polling when a device returns an empty object. ## 7.1.1 - July 17, 2024 #### Fixes * Fixed an issue where NetIntel environment variables were not being passed down correctly. ## 7.1.0 - July 16, 2024 #### New Features * **NetIntel dataset for air-gapped environments** - A new cli tool to download the NetIntel dataset for use in air-gapped environments is available for [download](/flowcoll/configuration/enrichment-options/ip-address-enrichment/enrich_ip_netintel.md). * **SNMP Device File Encryption** - Added support for encrypting SNMP device files. This will protect device file credentials using age encryption while offering a secure user-friendly interface for managing said files. For more information about configuring this, please see [Device File Encryption](/snmpcoll/configuration/def_devices/device-file-encryption.md). #### Updates * **NetObserv Flow Logging** - Improved log message for when a IPFIX or NetFlow9 template is not found. * **NetObserv SNMP Metrics** - New Prometheus metrics provide deeper insight into internal collector processes ([SNMP metrics](/snmpcoll/api-reference-overview/metrics.md)). #### Fixes * Fixed an issue where the same reference of a record could be mutated by multiple namespaced outputs. ## 7.0.2 - June 28, 2024 #### Fixes * Fixed an issue where the flow collector would not start if port 443 was blocked, even if the Amazon Firehose HTTP Endpoint was not enabled. ## 7.0.1 - June 21, 2024 #### New Features * **AWS VPC Flow Logs via AWS Firehose** - A new HTTP endpoint has been added to collect VPC flow logs directly from Amazon Firehose. For more information about configuring this, please see [AWS Firehose Input](/flowcoll/configuration/inputs/input_aws_firehose.md). * **NetObserv SNMP Device Status** - The availability of devices is evaluated based on the combination of ICMP and SNMP reachability. A new field, `system.avail.state.name`, has been added which indicates the result of this evaluation. #### Updates * **Community License** - The Community tier license now supports application identifies provided in the flow records from devices with such capabilities. #### Fixes * The SNMP Definitions tar file is no longer truncated. This addresses the enum error occurring when `EF_INPUT_SNMP_PERSIST_ENABLE` is set to `true`. * A panic condition has been fixed, which occurred when devices had been removed from the configuration definitions and `/snmp/apply-definitions` was called. * A panic condition has been fixed, which occurred when devices reported an unsigned integer value instead of the expected signed integer for certain SNMP data types. #### Security * **Security Upgrade** - Updated `libc` from `5.15.0-107.117` to `5.15.0-112.122` to patch "High" CVEs. ## 7.0.0 - June 4, 2024 #### Breaking Changes * **RiskIQ EOL** - Since RiskIQ will reach its end-of-life on June 30th 2024, NetObserv v7 will no longer support threat enrichment through RiskIQ. NetIntel threat enrichment will replace RiskIQ and is enabled by default. * **Licensing** - The NetObserv Basic License now supports all 7400+ vendor specific flow fields (previously only supported 1020 fields). The Community License now supports 500 flow records/second per organization. If you are using a Community License and need a higher flow rate, please use [this form](https://elastiflow.com/basic-license) to sign up for a free 1-year Basic License. * **AWS VPC Flow logs** - To set us up to deliver more flexible ways to retrieve flow logs (e.g. through Firehose) we needed to make some changes to the config fields for AWS VPC flow log enrichment. You need to change your configuration options to the new format to ensure you continue to receive VPC flow logs. #### New Features * **NetIntel Threat Intelligence** - NetObserv now uses ElastiFlow NetIntel for populating the information on the IP Reputation dashboard. * **NetIntel Online Application and Cloud Service Identity** - NetObserv now uses ElastiFlow NetIntel to enrich public IP addresses with online application and Cloud Service Identity information on the Top-N -> Apps dashboard. * **AWS VPC Flow Logs** - Added support for S3 buckets using data sent from Amazon Firehose, as well as custom log formats when using Firehose data. For more information about configuring this, please see [AWS VPC Flow logs](/flowcoll/configuration/inputs/input_aws_s3.md). * **User-defined mapping for IPs used for SNMP polling** - Allows users to poll SNMP info for a device on a different IP address than it sends flow records from. #### Updates * **Product Naming** - The ElastiFlow Unified Flow Collector is now called NetObserv Flow * **Product Naming** - The ElastiFlow Unified SNMP Collector is now called NetObserv SNMP * **Product Naming** - For anything that applies to both flow and snmp, we will simply refer to NetObserv --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/changelog.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.