Applications
Overview
The ElastiFlow Unified Flow Collector will cache application attributes learned from option data. It also allows users to define application attributes by any combination of IP/CIDR/IP range and port/port range.
EF_PROCESSOR_ENRICH_APP_ID_ENABLE
- Valid Values
true,false
- Default
false
EF_PROCESSOR_ENRICH_APP_ID_PATH
If vendor-defined AppID to application attribute mappings is enabled (EF_PROCESSOR_ENRICH_APP_ID_ENABLE is true) this setting specifies the path to the file.
- Default
/etc/elastiflow/app/appid.yml
EF_PROCESSOR_ENRICH_APP_ID_TTL
The length of time the application attributes will be cached after they are initially fetched.
Changes to the underlying files will not be picked up, even after the files have been re-loaded at the refresh interval, until the AppID has expired from the cache.
- Default
7200
EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE
While various flow record sources send the mapping of application IDs to applications names as option data. In cases where no application identity technology is available, applications can be statically specified by IP address and port number.
- Valid Values
true,false
- Default
false
EF_PROCESSOR_ENRICH_APP_IPPORT_PATH
If user-defined IP/port to application mappings is enabled (EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE is true) this setting specifies the path to this file.
An example of the format of this file is:
192.168.1.0/24:
8090:
name: "Synergy-cidr-port"
category: "category-cidr-port"
subcategory: "subcategory-cidr-port"
metadata:
".location": "austin-cidr-port"
"business.unit": "finance-cidr-port"
"dev.unit": "dev-cidr-port"
"app.count": 27
192.168.1.1-192.168.1.20:
8090:
name: "Synergy-iprange-port"
category: "category-iprange-port"
subcategory: "subcategory-iprange-port"
metadata:
.location: "austin-iprange-port"
8090-9000:
name: "Synergy-iprange-portrange"
category: "category-iprange-portrange"
subcategory: "subcategory-iprange-portrange"
metadata:
.location: "austin-iprange-portrange"
business.unit: "finance-iprange-portrange"
qa.unit: "qa-iprange-portrange"
finace.unit: "finance-iprange-portrange"
192.168.1.1:
8090:
name: "Synergy-ip-port"
category: "category-ip-port"
subcategory: "subcategory-ip-port"
metadata:
.location: "austin-ip-port"
business.unit: "finance-ip-port"
- Default
/etc/elastiflow/app/ipport.yml
EF_PROCESSOR_ENRICH_APP_IPPORT_TTL
The length of time the application attributes will be cached after they are initially fetched.
Changes to the underlying files will not be picked up, even after the files have been re-loaded at the refresh interval, until the IP/Port has expired from the cache.
- Default
7200
EF_PROCESSOR_ENRICH_APP_IPPORT_PRIVATE
If user-defined application attributes are enabled (EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE is true) this option specifies whether application names will be checked for private IP addresses.
- Valid Values
true,false
- Default
true
EF_PROCESSOR_ENRICH_APP_IPPORT_PUBLIC
If user-defined application attributes are enabled (EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE is true) this option specifies whether application names will be checked for public IP addresses.
- Valid Values
true,false
- Default
false
EF_PROCESSOR_ENRICH_APP_REFRESH_RATE
The files defined for application attribute enrichment can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.
- Default
15