Applications
Overview#
The ElastiFlow™ Unified Flow Collector will cache application attribues learned from option data.
EF_FLOW_DECODER_ENRICH_APP_CACHE_SIZE#
This setting specifies the maximum number of device specific application IDs which will be held in the cache.
- Default
8388608
EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE#
While various flow record sources send the mapping of application IDs to applications names as option data. In cases where no application identity technology is available, applications can be statically specified by IP address and port number. The application name specified will be used to populate the app.name (for the default CODEX schema) or network.application (if using the optional ECS schema) field.
- Valid Values
true,false
- Default
false
EF_FLOW_DECODER_ENRICH_APP_USERDEF_PRIVATE#
If user-defined application name are enabled (EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE is true) this option specifies whether application names will be checked for private IP addresses.
- Valid Values
true,false
- Default
true
EF_FLOW_DECODER_ENRICH_APP_USERDEF_PUBLIC#
If user-defined application name are enabled (EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE is true) this option specifies whether application names will be checked for public IP addresses.
- Valid Values
true,false
- Default
true
EF_FLOW_DECODER_ENRICH_APP_USERDEF_PATH#
If user-defined IP/port to application mappings are enabled (EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE is true) this setting specifies the path to this file.
note
If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.
An example of the format of this file is:
- Default
settings/apps_user_defined.yml