Overview

The ElastiFlow Unified Flow Collector will cache application attributes learned from option data. It also allows users to define application attributes by any combination of IP/CIDR/IP range and port/port range.

EF_PROCESSOR_ENRICH_APP_ID_ENABLE

• Valid Values

  • true, false

• Default

  • false

EF_PROCESSOR_ENRICH_APP_ID_PATH

If vendor-defined AppID to application attribute mappings is enabled (EF_PROCESSOR_ENRICH_APP_ID_ENABLE is true) this setting specifies the path to the file.

• Default

  • /etc/elastiflow/app/appid.yml

EF_PROCESSOR_ENRICH_APP_ID_TTL

The length of time the application attributes will be cached after they are initially fetched.

:::note Changes to the underlying files will not be picked up, even after the files have been re-loaded at the refresh interval, until the AppID has expired from the cache. :::

• Default

  • 7200

EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE

While various flow record sources send the mapping of application IDs to applications names as option data. In cases where no application identity technology is available, applications can be statically specified by IP address and port number.

• Valid Values

  • true, false

• Default

  • false

EF_PROCESSOR_ENRICH_APP_IPPORT_PATH

If user-defined IP/port to application mappings is enabled (EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE is true) this setting specifies the path to this file.

An example of the format of this file is:

192.168.1.0/24:
  8090:
    name: "Synergy-cidr-port"
    category: "category-cidr-port"
    subcategory: "subcategory-cidr-port"
    metadata:
      ".location": "austin-cidr-port"
      "business.unit": "finance-cidr-port"
      "dev.unit": "dev-cidr-port"
      "app.count": 27

192.168.1.1-192.168.1.20:
  8090:
    name: "Synergy-iprange-port"
    category: "category-iprange-port"
    subcategory: "subcategory-iprange-port"
    metadata:
      .location: "austin-iprange-port"

  8090-9000:
    name: "Synergy-iprange-portrange"
    category: "category-iprange-portrange"
    subcategory: "subcategory-iprange-portrange"
    metadata:
      .location: "austin-iprange-portrange"
      business.unit: "finance-iprange-portrange"
      qa.unit: "qa-iprange-portrange"
      finace.unit: "finance-iprange-portrange"

192.168.1.1:
  8090:
    name: "Synergy-ip-port"
    category: "category-ip-port"
    subcategory: "subcategory-ip-port"
    metadata:
      .location: "austin-ip-port"
      business.unit: "finance-ip-port"

• Default

  • /etc/elastiflow/app/ipport.yml

EF_PROCESSOR_ENRICH_APP_IPPORT_TTL

The length of time the application attributes will be cached after they are initially fetched.

:::note Changes to the underlying files will not be picked up, even after the files have been re-loaded at the refresh interval, until the IP/Port has expired from the cache. :::

• Default

  • 7200

EF_PROCESSOR_ENRICH_APP_IPPORT_PRIVATE

If user-defined application attributes are enabled (EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE is true) this option specifies whether application names will be checked for private IP addresses.

• Valid Values

  • true, false

• Default

  • true

EF_PROCESSOR_ENRICH_APP_IPPORT_PUBLIC

If user-defined application attributes are enabled (EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE is true) this option specifies whether application names will be checked for public IP addresses.

• Valid Values

  • true, false

• Default

  • false

EF_PROCESSOR_ENRICH_APP_REFRESH_RATE

The files defined for application attribute enrichment can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

• Default

  • 15