Maxmind
EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_ENABLE#
The ElastiFlow™ Unified Flow Collector will attempt to determine attributes associated with the autonomous system to which a public IP address belongs. This setting determines whether this feature is enabled.
- Valid Values
true,false
- Default
false
EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_CACHE_SIZE#
If enrichment with autonomous system attributes is enabled (EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_ENABLE is true), attributes determined by lookup will be cached to improve performance. This setting specifies the maximum number of IP address for which attributes will be held in the cache.
- Default
8388608
EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_PATH#
If enrichment with autonomous system attributes is enabled using lookups in a Maxmind database (EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_ENABLE is true), this setting specifies the path to the Maxmind database.
note
If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.
- Default
maxmind/GeoLite2-ASN.mmdb
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE#
The ElastiFlow™ Unified Flow Collector will attempt to determine GeoIP attributes associated with a public IP address. This setting determines whether this feature is enabled.
- Valid Values
true,false
- Default
false
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_CACHE_SIZE#
If enrichment with GeoIP attributes is enabled (EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE is true), attributes determined by lookup will be cached to improve performance. This setting specifies the maximum number of IP address for which attributes will be held in the cache.
- Default
8388608
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_PATH#
If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE is true), this setting specifies the path to the Maxmind database.
note
If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.
- Default
maxmind/GeoLite2-City.mmdb
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_VALUES#
If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE is true), this setting specifies the GeoIP attributes from the Maxmind database to be included in the resulting record.
- Valid Values
city,continent,continent_code,country,country_code,location,timezone
- Default
city,country,country_code,location,timezone
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_LANG#
If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE is true), this setting specifies the language which should be used for any language-specifc values.
- Valid Values
de- Germanen- Englishes- Spanishfr- Frenchja- Japanesept-BR- Brazilian Portugueseru- Russianzh-CN- Simplified Chinese
- Default
en
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_PATH#
For more control of when enrichment is applied, IP addresses can be included or excluded from GeoIP enrichment by Autonomous System or CIDR. This setting specifies the path to this file.
note
If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.
For more details on the format of this file and the behavior of the include/exclude functionality refer to: Scoping Enrichment with Include/Exclude
- Default
''
- Recommended
hostname/incl_excl.yml
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE#
The file specified in EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.
- Default
15