Decoder/Processor

EF_PROCESSOR_DECODE_IPFIX_ENABLE

Set to true to enable decoding of IPFIX records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_NETFLOW1_ENABLE

Set to true to enable decoding of Netflow v1 records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_NETFLOW5_ENABLE

Set to true to enable decoding of Netflow v5 records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_NETFLOW6_ENABLE

Set to true to enable decoding of Netflow v6 records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_NETFLOW7_ENABLE

Set to true to enable decoding of Netflow v7 records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_NETFLOW9_ENABLE

Set to true to enable decoding of Netflow v9 records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_SFLOW5_ENABLE

Set to true to enable decoding of sFlow v5 records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_SFLOW_FLOWS_ENABLE

Set to true to enable decoding of sFlow flow_sample and flow_sample_expanded records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_SFLOW_FLOWS_KEEP_SAMPLES

When set to true, the packet data from an sFlow sampled_header record will be stored in l2.section.sample as a hex-encoded string.

• Valid Values

  • true, false

• Default

  • false

EF_PROCESSOR_DECODE_SFLOW_COUNTERS_ENABLE

Set to true to enable decoding of sFlow counters_sample and counters_sample_expanded records.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_DECODE_MAX_RECORDS_PER_PACKET

Corrupt packets can cause issues with the decoding of records. One way this is handled is by limiting the number of records that will be decoded from a packet. The default value is 64. When the network between the device and collector has an MTU larger than 1500, the default value may be exceeded by normal packets. This new configuration option allows the threshold to be increased when necessary.

• Default

  • 64

EF_PROCESSOR_TRANSLATE_KEEP_IDS

Specifies which identifier values will be included in the final dataset.

• Valid Values

  • none - All identifiers are removed from the final dataset.

  • default - Most identifiers are removed from the final dataset. However some identifiers which are required for common use-cases (e.g. raw protocol port values) are included.

  • all - All identifiers are included in the final dataset.

• Default

  • default

EF_PROCESSOR_ENRICH_ASN_PREF

If enrichment with autonomous system attributes is enabled, but the autonomous system is already indicated directly in the flow record data, this setting specifies which source is preferred. If the preferred source is not available for a given record, the decoder will fall-back to the alternate option.

• Valid Values

  • lookup - prefer the autonomous system determined by lookup.

  • flow - prefer the autonomous system indicated directly in the flow record data.

• Default

  • lookup

EF_PROCESSOR_ENRICH_JOIN_ASN

Some features require that related values from separate fields are stored as an array in a single field. Such a "join" of autonomous system related fields is enabled when this setting is true.

:::info If records are being output to Elasticsearch this setting should be set to true. :::

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_ENRICH_JOIN_GEOIP

Some features require that related values from separate fields are stored as an array in a single field. Such a "join" of GeoIP related fields is enabled when this setting is true.

:::info If records are being output to Elasticsearch this setting should be set to true. :::

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_ENRICH_JOIN_NETATTR

Some features require that related values from separate fields are stored as an array in a single field. Such a "join" of network attribute related fields is enabled when this setting is true.

:::info If records are being output to Elasticsearch this setting should be set to true. :::

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_ENRICH_JOIN_SUBNETATTR

Some features require that related values from separate fields are stored as an array in a single field. Such a "join" of IP subnetwork attribute related fields is enabled when this setting is true.

:::info If records are being output to Elasticsearch this setting should be set to true. :::

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_ENRICH_JOIN_SEC

Some features require that related values from separate fields are stored as an array in a single field. Such a "join" of security attribute related fields is enabled when this setting is true.

:::info If records are being output to Elasticsearch this setting should be set to true. :::

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_EXPAND_CLISRV

The collector will infer the client/server relationship of two source/destination endpoints. The is setting determines whether such inference is enabled or not.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_EXPAND_CLISRV_NO_L4_PORTS

For flow records related to protocols which include no layer-4 ports, the collector will infer the client/server relationship of the two source/destination endpoints using the order of the IP addresses. The is setting determines whether such inference is enabled or not.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_IFA_ENABLE

• Valid Values

  • true, false

• Default

  • false

EF_PROCESSOR_IFA_WORKER_SIZE

Specifies the number of IFA Hop record processors to start.

• Default

  • 4 * the number of license units