Changelog
Release History
7.5.3 - December 4, 2024
NetObserv
Fixes
- Metrics collection - Reduced log level from
error
todebug
if NetObserv can't access system metrics like CPU or available hard drive space. - SNMP poller panic - Fixed a bug that had SNMP poller stop working when some SNMPv2 devices sent their DisplayString in an unexpected format.
- API_IP configuration - Fixed a bug where NetObserv was still listening on all interfaces even though a specific IP address is set in the EF_API_IP configuration.
7.5.2
NetObserv
Updates
- AWS VPC Flow Logs - Added AWS VPC Flow Log support to include all flow records through v7.
Fixes
- SNMP Enrichment - Fixed an issue where the Flow Collector could fail to enrich flow records with SNMP data from SNMPv3 devices.
NetIntel
Fixes
- Fixed an issue where downloading the NetIntel dataset could fail due to insufficient timeout.
7.5.1
NetObserv
Fixes
- Metrics - Fixed an issue where duplicate metric registration can cause a panic in the NetObserv Flow collector.
7.5.0
NetObserv
Updates
- Docker Installation - Added a new volume mount point to support data persistence for Docker installations. This enables the NetObserv Flow Collector to retain data across container restarts. For more information, see the Upgrade to 7.5 guide.
- Sample Rate - Added support for calculating flow sample rate from sampling packet interval and space found in an option record.
- Flow Data Path - Added a new configuration, EF_FLOW_DATA_PATH, to specify the path where NetObserv Flow will store data files that need to be persisted between runs.
Fixes
- Metadata Enrichment - Fixed an issue where flows were not being consistently enriched with metadata associated to the most specific IP CIDR or range.
- Support Bundle - Fixed an issue where the original file modification date was not preserved when creating support bundles.
- Versa AppID - Fixed an issue where application information from Versa devices were not enriched correctly.
NetIntel
Updates
- Autonomous System Enrichment - Added support enriching Autonomous System data from the NetIntel dataset.
7.4.0
NetObserv
Updates
- Sample Rate - Added IP CIDR and range support for user-defined sample rates.
- Metrics - Added system-level and process-level Prometheus metrics for memory, CPU, and disk usage.
- CLI Tool - Allow netobserv commands to read license parameters from the configuration file.
- stdout Output - Introduced a new configuration, EF_OUTPUT_STDOUT_ALLOWED_RECORD_TYPES, to control which record types are sent to stdout. Supported values include:
as_path_hop
,flow_option
,flow
,ifa_hop
,telemetry
, andmetric
. If left empty, all types will be allowed by default.
Fixes
- SNMP Enrichment - Fixed a panic condition that could occur when enriching flows with SNMP data.
- Fixed an issue where logs were dropped when the app panics and restarts.
7.3.2
NetObserv
Updates
- Extended field support - Added support for NetQuest JA4 IPFIX records
7.3.1
NetObserv
Fixes
- AS Enrichment - Fixed potential panic if Autonomous System data was enriched as an array instead of single value.
7.3.0
NetObserv
Updates
- Packet Parser - Flow Collector: Improved Infiniband support to handle additional OpCodes.
Fixes
- Packet Parser - Flow Collector: Fixed an issue that cause Infiniband-related boolean values to be indexed incorrectly.
- sFlow - Flow Collector:
system.ip.addr
not set correctly for sFlow records. - Elasticsearch Output - SNMP Collector: Auto-generated component template now has the correct "version" value.
- Logging - The warning for RiskIQ-related environment variable no longer triggers for non-ElastiFlow RiskIQ environment variables.
7.2.2
NetObserv
Fixes
- Fixed a panic condition that could happen if IPFIX or sFlow packets contained incorrect payload length values.
7.2.1
NetObserv
Fixes
- Output - Fixed a race condition which would cause a concurrent map write issue and stop the collector when there was high throughput.
7.2.0
NetObserv
New Features
- Metrics - Added new functionality to gather and send all Prometheus metrics to outputs. This feature can be enabled by adding
metric
to EF_OUTPUT_ELASTICSEARCH_ALLOWED_RECORD_TYPES, EF_OUTPUT_OPENSEARCH_ALLOWED_RECORD_TYPES, or EF_OUTPUT_KAFKA_ALLOWED_RECORD_TYPES. - RoCEv2 support (TECHNOLOGY PREVIEW) - Added support for ingesting
RoCEv2
flow data.
Updates
- Metrics - Added a
record_type
label to output metrics in order to provide more granularity into the records being pushed to downstream outputs. - Docker Container - Upgraded base image to
ubuntu:24.04
.
Fixes
- Docker Container - The Docker container now includes default configuration files and directories.
- Fixed an issue where inconsistent attribute tagging occurred in flow records when using nested rules in the EF_PROCESSOR_ENRICH_IPADDR_METADATA_USERDEF_PATH file.
- Fixed an issue where sFlow counter records were processed despite EF_PROCESSOR_DECODE_SFLOW_COUNTERS_ENABLE being set to false.
- Fixed an issue where sFlow counter records were returning a
sample type not supported
error for valid counter samples when EF_PROCESSOR_DECODE_SFLOW_COUNTERS_ENABLE was being set to false. - Fixed an issue where proxy settings within NetObserv were not applied correctly, resulting in failed downloads of the NetIntel data set for flow enrichment when a proxy is being used.
7.1.2
NetObserv Flow
Fixes
- Fixed an issue where all data was being written to one TSDS datastream when TSDS is enabled for Elasticsearch.
NetObserv SNMP
Fixes
- Fixed an issue where the SNMP poller ignores EF_INPUT_SNMP_POLLER_ERROR_HANDLING and stops object polling when a device returns an empty object.
7.1.1
NetObserv Flow
Fixes
- Fixed an issue where NetIntel environment variables were not being passed down correctly.
7.1.0
NetObserv Flow
New Features
- Download NetIntel dataset for air-gapped environments - A new cli tool to download the NetIntel dataset for use in air-gapped environments is available for download.
Updates
- Logging - Improved log message for when a IPFIX or NetFlow9 template is not found.
Fixes
- Fixed an issue where the same reference of a record could be mutated by multiple namespaced outputs.
NetObserv SNMP
Updates
- Metrics - New Prometheus metrics provide deeper insight into internal collector processes (SNMP metrics).
New Features
- Device File Encryption - Added support for encrypting SNMP device files. This will protect device file credentials using age encryption while offering a secure user-friendly interface for managing said files. For more information about configuring this, please see Device File Encryption.
7.0.2
NetObserv Flow
Fixes
- Fixed an issue where the flow collector would not start if port 443 was blocked, even if the Amazon Firehose HTTP Endpoint was not enabled.
7.0.1
NetObserv Common
Security
- Security Upgrade - Updated
libc
from5.15.0-107.117
to5.15.0-112.122
to patch "High" CVEs.
NetObserv Flow
New Features
- AWS VPC Flow Logs via AWS Firehose - A new HTTP endpoint has been added to collect VPC flow logs directly from Amazon Firehose. For more information about configuring this, please see AWS Firehose Input.
Updates
- Community License - The Community tier license now supports application identifies provided in the flow records from devices with such capabilities.
NetObserv SNMP
New Features
- NetObserv SNMP Device Status - The availability of devices is evaluated based on the combination of ICMP and SNMP reachability. A new field,
system.avail.state.name
, has been added which indicates the result of this evaluation.
Fixes
- The SNMP Definitions tar file is no longer truncated. This addresses the enum error occurring when
EF_INPUT_SNMP_PERSIST_ENABLE
is set totrue
. - A panic condition has been fixed, which occurred when devices had been removed from the configuration definitions and
/snmp/apply-definitions
was called. - A panic condition has been fixed, which occurred when devices reported an unsigned integer value instead of the expected signed integer for certain SNMP data types.
7.0.0
NetObserv Common
Breaking Changes
Click here for more information and all steps you need to take to upgrade from 6.x to 7.x
- RiskIQ EOL - Since RiskIQ will reach its end-of-life on June 30th 2024, NetObserv v7 will no longer support threat enrichment through RiskIQ. NetIntel threat enrichment will replace RiskIQ and is enabled by default.
- Licensing - The NetObserv Basic License now supports all 7400+ vendor specific flow fields (previously only supported 1020 fields). The Community License now supports 500 flow records/second per organization. If you are using a Community License and need a higher flow rate, please use this form to sign up for a free 1-year Basic License.
- AWS VPC Flow logs - To set us up to deliver more flexible ways to retrieve flow logs (e.g. through Firehose) we needed to make some changes to the config fields for AWS VPC flow log enrichment. You need to change your configuration options to the new format to ensure you continue to receive VPC flow logs.
Updates
- Product Naming - The ElastiFlow Unified Flow Collector is now called NetObserv Flow
- Product Naming - The ElastiFlow Unified SNMP Collector is now called NetObserv SNMP
- Product Naming - For anything that applies to both flow and snmp, we will simply refer to NetObserv
NetObserv Flow
New Features
- NetIntel Threat Intelligence - NetObserv now uses ElastiFlow NetIntel for populating the information on the IP Reputation dashboard.
- NetIntel Online Application and Cloud Service Identity - NetObserv now uses ElastiFlow NetIntel to enrich public IP addresses with online application and Cloud Service Identity information on the Top-N -> Apps dashboard.
- AWS VPC Flow Logs - Added support for S3 buckets using data sent from Amazon Firehose, as well as custom log formats when using Firehose data. For more information about configuring this, please see AWS VPC Flow logs.
- User-defined mapping for IPs used for SNMP polling - Allows users to poll SNMP info for a device on a different IP address than it sends flow records from.