The ElastiFlow™ Unified Flow Collector is available in four license tiers. The license tier determined a number of collector attributes, including the number of cores, and thus the volume of flows the collector can process, as well as which information elements (IEs) are supported.
The single core limit for the Community and Basic license applies to the person or entity accepting the license. It does not allow for running multiple instances.
The actual number of cores available with a Standard or Premium license is determined by the license key. This number of cores may be split between multiple instances of the collector, as long as the total number of cores does not exceed the number of cores allowed by the license.
By default the number of cores will be set based on the provided license key. However the number of cores to be used by as instance can be configured manually. This is usually done when it is desired to use multiple instances of the collector. For example, a subscription for 8 licensed cores can be split into 2 instances, of 4 cores each, by setting
EF_FLOW_LICENSED_CORES: 4 for each instance. If set to a value greater than allowed by the license key, the instances will be started with the number of cores from the license key.
You can also request a 30-day Premium Trial License via the ElastiFlow™ website. This license can only be renewed with approval of ElastiFlow™. To request an extension, please send an email to email@example.com.
The licnese key for ElastiFlow™ Standard and Premium Tier customers will be made available through our support system. A ticket will be opened, from which an authorized user can download the license key.
The following is an example of a license configuration, as defined in a docker-compose file:
and as defined in the systemd configuration:
By default The ElastiFlow™ Unified Flow Collector can be confugred to log to stdout or to a file. It can also be configured to log with
console formatting. If logging to a file, log rotation can be configured to manage the volume of logs. For a complete description of all logging configuration options, please refer to the Configuration Reference.
The ElastiFlow™ Unified Flow Collector receives IPFIX, Netflow and sFlow network flow records and telemetry over UDP. By default the collector listens on all interfaces of the system where it is running. However it can be configured to listen on only a specific interface. The default UDP listening port is
9995, which can also be configured.
It is recommended that the collector be configured to request a larger than default receive buffer size. The size, in bytes, that the collector will request be created by the operating system kernel is configurable. If this value exceeds the maximum allowed buffer size (
net.core.rmem_max on Linux), the maximum allowed size is used.
Received UDP PDUs are queued prior to being processed by an available decoder. This allows the collector to better handle temporary spikes of received packets without loosing data. The size of the queue is automatically set based on the number of licensed cores. The default is
4096 times the value of
EF_FLOW_LICENSED_CORES. This can be overridden using
EF_FLOW_SERVER_UDP_PACKET_STREAM_MAX_SIZE. For a complete description of all UDP input configuration options, please refer to the Configuration Reference.