Docs
6.4
6.56.4
6.4
6.56.4
  • ElastiFlow Documentation
  • Unified Flow Collector
    • General Configuration
    • Changelog
    • Maxmind GeoIP2 and GeoLite2
    • RiskIQ PassiveTotal
    • Network Interfaces
    • User-Defined Metadata
    • Docker
    • Linux
    • Unified Flow Collector Introduction
    • System Requirements
    • Supported IEs
    • AWS VPC Flow Log IEs
    • IPFIX IEs
    • Netflow IEs
    • sFlow IEs
  • Unified SNMP Collector
    • Device Groups
    • Changelog
    • Devices
    • Downloading Definitions
    • Enumerations
    • Objects
    • Object Groups
    • User-Defined Metadata
    • Docker
    • Network Interfaces
    • United SNMP Collector Introduction
    • Linux
    • Scheduling Rediscovery
  • Monitoring ElastiFlow
    • Liveness & Readiness
    • Metrics
    • Prometheus & Grafana
  • Configuration Reference
    • YAML Configuration Files
    • Configuration Reference Overview
    • Common
      • API
      • Licensing
      • Overview
      • Logging
      • HTTP output
      • Elasticsearch output
      • Kafka output
      • Monitor output
      • OpenSearch output
      • Splunk output
      • stdout output
      • Processor
    • Unified Flow Collector
      • Overview
      • Community/Conversation IDs
      • EF_PROCESSOR_ENRICH_TOTALS_IF_NO_DELTAS
      • Overview
      • RiskIQ PassiveTotal
      • Maxmind
      • User-Defined Metadata
      • Overview
      • Overview
      • User-Defined Metadata
      • Overview
      • Benchmark Input
      • Netflow/IPFIX/sFlow (UDP)
      • Licensing
      • Decoder/Processor
      • Sample Rate
      • Configuration Changes
    • Unified SNMP Collector
      • User-Defined Metadata
      • Overview
      • Licensing
      • SNMP Poller
      • EF_PROCESSOR_SNMP_ENUM_DEFINITIONS_DIRECTORY_PATH
  • API Reference
    • API Reference Overview
    • SNMP Operations
  • Data Platforms
    • Elastic
      • Basic Cluster
      • Advanced Cluster
      • Single Server
      • Multi-Tier Cluster
      • Single "Lab" Server
      • Elasticsearch
      • ElastiFlow vs. Filebeat and Logstash
      • RHEL/CentOS
      • Ubuntu/Debian
      • Kibana
      • ML
        • Network Security
        • Machine Learning
        • Availability
          • Network Availability
          • DHCP
          • LDAP
          • DNS
          • NTP
          • RADIUS
          • TCP Sessions
        • Network Security Activity
          • Rare Autonomous System
          • Network Activity
          • Rare Conversation
          • Rare Geolocation
        • Network Security Brute Force
          • Brute Force CLI Access
          • Brute Force Remote Desktop Access
          • Brute Force Attacks
        • Network Security DDoS
          • Denial-of-Service
          • ICMP Flood Attack
          • SYN Flood Attack
          • TCP DDoS Attack
          • UDP Amplification Attack
        • Network Security Recon
          • ICMP Scan
          • Reconnaissance
          • Port Scan
        • Performance
          • Unusual ASN Traffic Volume
          • Unusual Network Interface Traffic Volume
          • Network Performance
    • Opensearch
      • Dashboards
      • Auth Sig V4
    • Splunk
      • Default Search Macro
      • Configuring Data Input & Index
      • Splunk App Installation
    • Output Configuration
  • Additional Guides
    • Catalyst (sFlow)
    • FortiGate
    • hsflowd
    • Configuring Flow Sampling on Juniper Routers
    • Junos OS (sFlow)
    • MikroTik RouterOS
    • OpenWRT (softflowd)
    • Ubiquiti EdgeRouter
    • SonicWall
    • Junos OS
    • Extending SNMP Device Support
    • Flow Device Support Overview
    • SNMP Device Support Overview
    • Generating A Support Bundle
  • FAQ
    • Flows stopped showing up in Kibana (Disk(s) Full)
    • Common reasons why you have discrepancies between ElastiFlow data & reality
    • What Are Snapshots?
    • Importing the wrong dashboards (No data)
  • Knowledge Base
    • Config
      • Elasticsearch Authentication Failure
      • CA Certificate Path Incorrect
      • license/error Invalid Segments
    • Flow
      • Bidirectional Flow Support
      • Configure the UDP Input
      • Flow Records Not Received
      • Netflow v9/IPFIX Template Not Receieved
      • Unsupported sFlow Structures
    • General
      • License Has Expired
      • License Agreement Not Accepted
    • Install
      • .deb Upgrade Fails File Overwrite
    • Operation
      • Flow Collector Queues 90% Full
      • Dashboard Updates
      • Change elastiflow-* Index Name?
  • Elastic Stack Deployment
  • Download Links
Powered by GitBook
On this page
  • Licensing Options
  • Logging Options
  • Metrics Options
  • Flow UDP Server Options
  • AWS VPC Flow Logs Options
  • Decoding Options
  • Application Enrichment Options
  • IP Address Enrichment Options
  • Network Interface Enrichment Options
  • Post-Processing Enrichment Options
  • stdout Output Options
  • Monitor Output Options
  • Elasticsearch Output Options
  • OpenSearch Output Options
  • Splunk Output Options
  • Kafka Output Options
  • Cribl Stream Output Options
  • Generic HTTP Output Options
  • RiskIQ Output Options
  1. Configuration Reference
  2. Unified Flow Collector

Configuration Changes

To improve the consistency of configuration options and prepare for future features on ElastiFlow's roadmap, many of the configuration options have been renamed or otherwise changed. The following is a list of all changes.

:::tip You may want to start with a clean 6.0 configuration file from either our provided docker-compose.yml example, or the flowcoll.conf file in the native packages. You can then provide only the modifications necessary to add to the new configuration. :::

Licensing Options

5.6.x Option
Status
Notes for 6.0

___

NEW

EF_LICENSE_ACCEPTED

EF_FLOW_ACCOUNT_ID

RENAMED

EF_ACCOUNT_ID

EF_FLOW_LICENSE_KEY

✓

Unchanged

EF_FLOW_LICENSED_UNITS

✓

Unchanged

Logging Options

The only change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_LOGGER_LEVEL

RENAMED

EF_LOGGER_LEVEL

EF_FLOW_LOGGER_ENCODING

RENAMED

EF_LOGGER_ENCODING

EF_FLOW_LOGGER_FILE_LOG_ENABLE

RENAMED

EF_LOGGER_FILE_LOG_ENABLE

EF_FLOW_LOGGER_FILE_LOG_FILENAME

RENAMED

EF_LOGGER_FILE_LOG_FILENAME

EF_FLOW_LOGGER_FILE_LOG_MAX_SIZE

RENAMED

EF_LOGGER_FILE_LOG_MAX_SIZE

EF_FLOW_LOGGER_FILE_LOG_MAX_AGE

RENAMED

EF_LOGGER_FILE_LOG_MAX_AGE

EF_FLOW_LOGGER_FILE_LOG_MAX_BACKUPS

RENAMED

EF_LOGGER_FILE_LOG_MAX_BACKUPS

EF_FLOW_LOGGER_FILE_LOG_COMPRESS

RENAMED

EF_LOGGER_FILE_LOG_COMPRESS

Metrics Options

5.6.x Option
Status
Notes for 6.0

___

NEW

EF_INSTANCE_NAME

___

NEW

EF_METRICS_PORT

___

NEW

EF_METRICS_TLS_ENABLE

___

NEW

EF_METRICS_TLS_CERT_FILEPATH

___

NEW

EF_METRICS_TLS_KEY_FILEPATH

Flow UDP Server Options

5.6.x Option
Status
Notes for 6.0

EF_FLOW_SERVER_UDP_IP

✓

Unchanged

EF_FLOW_SERVER_UDP_PORT

✓

Unchanged

EF_FLOW_SERVER_UDP_READ_BUFFER_MAX_SIZE

✓

Unchanged

EF_FLOW_SERVER_UDP_PACKET_STREAM_MAX_SIZE

RENAMED

EF_FLOW_PACKET_STREAM_MAX_SIZE

AWS VPC Flow Logs Options

5.6.x Option
Status
Notes for 6.0

___

NEW

EF_AWS_VPC_FLOW_LOG_ENABLE

___

NEW

EF_AWS_VPC_FLOW_LOG_S3_BUCKET

___

NEW

EF_AWS_VPC_FLOW_LOG_PREFIX

___

NEW

AWS_REGION

___

NEW

AWS_ACCESS_KEY_ID

___

NEW

AWS_SECRET_ACCESS_KEY

Decoding Options

5.6.x Option
Status
Notes for 6.0

EF_FLOW_DECODER_POOL_SIZE

RENAMED

EF_PROCESSOR_POOL_SIZE

EF_FLOW_DECODER_SETTINGS_PATH

✕

REMOVED: Absolute paths MUST now be used for all option values that define a path to a file or directory.

EF_FLOW_DECODER_IPFIX_ENABLE

RENAMED

EF_PROCESSOR_DECODE_IPFIX_ENABLE

EF_FLOW_DECODER_NETFLOW1_ENABLE

RENAMED

EF_PROCESSOR_DECODE_NETFLOW1_ENABLE

EF_FLOW_DECODER_NETFLOW5_ENABLE

RENAMED

EF_PROCESSOR_DECODE_NETFLOW5_ENABLE

EF_FLOW_DECODER_NETFLOW6_ENABLE

RENAMED

EF_PROCESSOR_DECODE_NETFLOW6_ENABLE

EF_FLOW_DECODER_NETFLOW7_ENABLE

RENAMED

EF_PROCESSOR_DECODE_NETFLOW7_ENABLE

EF_FLOW_DECODER_NETFLOW9_ENABLE

RENAMED

EF_PROCESSOR_DECODE_NETFLOW9_ENABLE

EF_FLOW_DECODER_SFLOW5_ENABLE

RENAMED

EF_PROCESSOR_DECODE_SFLOW5_ENABLE

EF_FLOW_DECODER_SFLOW_FLOWS_ENABLE

RENAMED

EF_PROCESSOR_DECODE_SFLOW_FLOWS_ENABLE

EF_FLOW_DECODER_SFLOW_FLOWS_KEEP_SAMPLES

RENAMED

EF_PROCESSOR_DECODE_SFLOW_FLOWS_KEEP_SAMPLES

EF_FLOW_DECODER_SFLOW_COUNTERS_ENABLE

RENAMED

EF_PROCESSOR_DECODE_SFLOW_COUNTERS_ENABLE

EF_FLOW_DECODER_TRANSLATE_KEEP_IDS

RENAMED

EF_PROCESSOR_TRANSLATE_KEEP_IDS

Application Enrichment Options

5.6.x Option
Status
Notes for 6.0

___

NEW

EF_PROCESSOR_ENRICH_APP_ID_ENABLE

___

NEW

EF_PROCESSOR_ENRICH_APP_ID_PATH

___

NEW

EF_PROCESSOR_ENRICH_APP_ID_TTL

EF_FLOW_DECODER_ENRICH_APP_CACHE_SIZE

✕

REMOVED: TTL is now used to flush old cache entries.

EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE

EF_FLOW_DECODER_ENRICH_APP_USERDEF_PRIVATE

RENAMED

EF_PROCESSOR_ENRICH_APP_IPPORT_PRIVATE

EF_FLOW_DECODER_ENRICH_APP_USERDEF_PUBLIC

RENAMED

EF_PROCESSOR_ENRICH_APP_IPPORT_PUBLIC

EF_FLOW_DECODER_ENRICH_APP_USERDEF_PATH

RENAMED

EF_PROCESSOR_ENRICH_APP_IPPORT_PATH

___

NEW

EF_PROCESSOR_ENRICH_APP_IPPORT_TTL

___

NEW

EF_PROCESSOR_ENRICH_APP_REFRESH_RATE

:::danger While the configuration options for IP/port to application attributes enrichment are renamed, the format of the file pointed to by EF_PROCESSOR_ENRICH_APP_IPPORT_PATH has changed significantly. Please refer to the configuration reference page for an example. :::

IP Address Enrichment Options

The primary change is that FLOW_DECODER has been renamed to PROCESSOR in the option names.

5.6.x Option
Status
Notes for 6.0

___

NEW

EF_PROCESSOR_ENRICH_OPTION_ENUM_TTL

EF_FLOW_DECODER_ENRICH_IPADDR_TTL

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_TTL

EF_FLOW_DECODER_ENRICH_IPADDR_METADATA_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_METADATA_ENABLE

EF_FLOW_DECODER_ENRICH_IPADDR_METADATA_USERDEF_PATH

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_METADATA_USERDEF_PATH

EF_FLOW_DECODER_ENRICH_IPADDR_METADATA_REFRESH_RATE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_METADATA_REFRESH_RATE

EF_FLOW_DECODER_ENRICH_DNS_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE

EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_IP

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_IP

EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_TIMEOUT

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_TIMEOUT

EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PRIVATE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PRIVATE

EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PUBLIC

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PUBLIC

EF_FLOW_DECODER_ENRICH_DNS_USERDEF_PATH

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH

EF_FLOW_DECODER_ENRICH_DNS_USERDEF_REFRESH_RATE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_REFRESH_RATE

EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_PATH

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_PATH

EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_REFRESH_RATE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_REFRESH_RATE

EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_ENABLE

EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_PATH

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_PATH

EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE

EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_PATH

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_PATH

EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_VALUES

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_VALUES

EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_LANG

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_LANG

EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_PATH

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_PATH

EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENDPOINT

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENDPOINT

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_REFRESH_INTERVAL

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_REFRESH_INTERVAL

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_PATH

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATH

EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE

EF_FLOW_DECODER_ENRICH_RISKIQ_API_USER

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_USER

EF_FLOW_DECODER_ENRICH_RISKIQ_API_KEY

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_KEY

EF_FLOW_DECODER_ENRICH_RISKIQ_API_TIMEOUT

RENAMED

EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUT

EF_FLOW_DECODER_ENRICH_ASN_PREF

RENAMED

EF_PROCESSOR_ENRICH_ASN_PREF

Network Interface Enrichment Options

The only change is that FLOW_DECODER has been renamed to PROCESSOR in the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_DECODER_ENRICH_NETIF_TTL

RENAMED

EF_PROCESSOR_ENRICH_NETIF_TTL

EF_FLOW_DECODER_ENRICH_NETIF_METADATA_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_NETIF_METADATA_ENABLE

EF_FLOW_DECODER_ENRICH_NETIF_METADATA_USERDEF_PATH

RENAMED

EF_PROCESSOR_ENRICH_NETIF_METADATA_USERDEF_PATH

EF_FLOW_DECODER_ENRICH_NETIF_METADATA_REFRESH_RATE

RENAMED

EF_PROCESSOR_ENRICH_NETIF_METADATA_REFRESH_RATE

EF_FLOW_DECODER_ENRICH_NETIF_FLOW_OPTIONS_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_NETIF_FLOW_OPTIONS_ENABLE

EF_FLOW_DECODER_ENRICH_NETIF_SNMP_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_NETIF_SNMP_ENABLE

EF_FLOW_DECODER_ENRICH_NETIF_SNMP_PORT

RENAMED

EF_PROCESSOR_ENRICH_NETIF_SNMP_PORT

EF_FLOW_DECODER_ENRICH_NETIF_SNMP_VERSION

RENAMED

EF_PROCESSOR_ENRICH_NETIF_SNMP_VERSION

EF_FLOW_DECODER_ENRICH_NETIF_SNMP_COMMUNITIES

RENAMED

EF_PROCESSOR_ENRICH_NETIF_SNMP_COMMUNITIES

EF_FLOW_DECODER_ENRICH_NETIF_SNMP_TIMEOUT

RENAMED

EF_PROCESSOR_ENRICH_NETIF_SNMP_TIMEOUT

EF_FLOW_DECODER_ENRICH_NETIF_SNMP_RETRIES

RENAMED

EF_PROCESSOR_ENRICH_NETIF_SNMP_RETRIES

Post-Processing Enrichment Options

5.6.x Option
Status
Notes for 6.0

EF_FLOW_DECODER_ENRICH_TOTALS_IF_NO_DELTAS

RENAMED

EF_PROCESSOR_ENRICH_TOTALS_IF_NO_DELTAS

EF_FLOW_DECODER_ENRICH_SAMPLERATE_CACHE_SIZE

RENAMED

EF_PROCESSOR_ENRICH_SAMPLERATE_CACHE_SIZE

EF_FLOW_DECODER_ENRICH_SAMPLERATE_USERDEF_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_SAMPLERATE_USERDEF_ENABLE

EF_FLOW_DECODER_ENRICH_SAMPLERATE_USERDEF_PATH

RENAMED

EF_PROCESSOR_ENRICH_SAMPLERATE_USERDEF_PATH

___

NEW

EF_PROCESSOR_ENRICH_SAMPLERATE_USERDEF_OVERRIDE

EF_FLOW_DECODER_ENRICH_COMMUNITYID_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_COMMUNITYID_ENABLE

EF_FLOW_DECODER_ENRICH_COMMUNITYID_SEED

RENAMED

EF_PROCESSOR_ENRICH_COMMUNITYID_SEED

EF_FLOW_DECODER_ENRICH_CONVERSATIONID_ENABLE

RENAMED

EF_PROCESSOR_ENRICH_CONVERSATIONID_ENABLE

EF_FLOW_DECODER_ENRICH_CONVERSATIONID_SEED

RENAMED

EF_PROCESSOR_ENRICH_CONVERSATIONID_SEED

EF_FLOW_DECODER_ENRICH_JOIN_ASN

RENAMED

EF_PROCESSOR_ENRICH_JOIN_ASN

EF_FLOW_DECODER_ENRICH_JOIN_GEOIP

RENAMED

EF_PROCESSOR_ENRICH_JOIN_GEOIP

EF_FLOW_DECODER_ENRICH_JOIN_SEC

RENAMED

EF_PROCESSOR_ENRICH_JOIN_SEC

EF_FLOW_DECODER_ENRICH_JOIN_NETATTR

RENAMED

EF_PROCESSOR_ENRICH_JOIN_NETATTR

EF_FLOW_DECODER_ENRICH_JOIN_SUBNETATTR

RENAMED

EF_PROCESSOR_ENRICH_JOIN_SUBNETATTR

EF_FLOW_DECODER_DURATION_PRECISION

RENAMED

EF_PROCESSOR_DURATION_PRECISION

EF_FLOW_DECODER_TIMESTAMP_PRECISION

RENAMED

EF_PROCESSOR_TIMESTAMP_PRECISION

EF_FLOW_DECODER_PERCENT_NORM

RENAMED

EF_PROCESSOR_PERCENT_NORM

EF_FLOW_DECODER_ENRICH_EXPAND_CLISRV

RENAMED

EF_PROCESSOR_EXPAND_CLISRV

___

NEW

EF_PROCESSOR_EXPAND_CLISRV_NO_L4_PORTS

EF_FLOW_DECODER_ENRICH_KEEP_CPU_TICKS

RENAMED

EF_PROCESSOR_KEEP_CPU_TICKS

EF_FLOW_DECODER_ENRICH_DROP_FIELDS

RENAMED

EF_PROCESSOR_DROP_FIELDS

EF_FLOW_RECORD_STREAM_MAX_SIZE

✕

REMOVED: The record stream size has been optimized for peak performance and requires no adjustment.

stdout Output Options

The only change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_STDOUT_ENABLE

RENAMED

EF_OUTPUT_STDOUT_ENABLE

EF_FLOW_OUTPUT_STDOUT_FORMAT

RENAMED

EF_OUTPUT_STDOUT_FORMAT

Monitor Output Options

The only change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_MONITOR_ENABLE

RENAMED

EF_OUTPUT_MONITOR_ENABLE

EF_FLOW_OUTPUT_MONITOR_INTERVAL

RENAMED

EF_OUTPUT_MONITOR_INTERVAL

Elasticsearch Output Options

The primary change is that FLOW_ has been removed from the option names. A few options have been removed.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_ELASTICSEARCH_ENABLE

RENAMED

EF_OUTPUT_ELASTICSEARCH_ENABLE

EF_FLOW_OUTPUT_ELASTICSEARCH_ECS_ENABLE

RENAMED

EF_OUTPUT_ELASTICSEARCH_ECS_ENABLE

EF_FLOW_OUTPUT_ELASTICSEARCH_BATCH_DEADLINE

RENAMED

EF_OUTPUT_ELASTICSEARCH_BATCH_DEADLINE

EF_FLOW_OUTPUT_ELASTICSEARCH_BATCH_MAX_BYTES

RENAMED

EF_OUTPUT_ELASTICSEARCH_BATCH_MAX_BYTES

EF_FLOW_OUTPUT_ELASTICSEARCH_TIMESTAMP_SOURCE

RENAMED

EF_OUTPUT_ELASTICSEARCH_TIMESTAMP_SOURCE

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_PERIOD

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_PERIOD

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX

EF_FLOW_OUTPUT_ELASTICSEARCH_DROP_FIELDS

RENAMED

EF_OUTPUT_ELASTICSEARCH_DROP_FIELDS

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ENABLE

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ENABLE

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_OVERWRITE

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_OVERWRITE

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_SHARDS

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_SHARDS

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REPLICAS

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REPLICAS

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_CODEC

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_CODEC

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_LIFECYCLE

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_LIFECYCLE

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_ROLLOVER_ALIAS

✕

REMOVED: The rollover alias is generated automatically by the collector.

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ISM_POLICY

✕

REMOVED: The Elasticsearch output no longer supports OpenSearch-specific features.

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_PIPELINE_DEFAULT

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_PIPELINE_DEFAULT

EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_PIPELINE_FINAL

RENAMED

EF_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_PIPELINE_FINAL

EF_FLOW_OUTPUT_ELASTICSEARCH_ADDRESSES

RENAMED

EF_OUTPUT_ELASTICSEARCH_ADDRESSES

EF_FLOW_OUTPUT_ELASTICSEARCH_USERNAME

RENAMED

EF_OUTPUT_ELASTICSEARCH_USERNAME

EF_FLOW_OUTPUT_ELASTICSEARCH_PASSWORD

RENAMED

EF_OUTPUT_ELASTICSEARCH_PASSWORD

EF_FLOW_OUTPUT_ELASTICSEARCH_CLOUD_ID

RENAMED

EF_OUTPUT_ELASTICSEARCH_CLOUD_ID

EF_FLOW_OUTPUT_ELASTICSEARCH_API_KEY

RENAMED

EF_OUTPUT_ELASTICSEARCH_API_KEY

EF_FLOW_OUTPUT_ELASTICSEARCH_CLIENT_CA_CERT_FILEPATH

RENAMED

EF_OUTPUT_ELASTICSEARCH_CLIENT_CA_CERT_FILEPATH

EF_FLOW_OUTPUT_ELASTICSEARCH_CLIENT_CERT_FILEPATH

RENAMED

EF_OUTPUT_ELASTICSEARCH_CLIENT_CERT_FILEPATH

EF_FLOW_OUTPUT_ELASTICSEARCH_CLIENT_KEY_FILEPATH

RENAMED

EF_OUTPUT_ELASTICSEARCH_CLIENT_KEY_FILEPATH

EF_FLOW_OUTPUT_ELASTICSEARCH_TLS_ENABLE

RENAMED

EF_OUTPUT_ELASTICSEARCH_TLS_ENABLE

EF_FLOW_OUTPUT_ELASTICSEARCH_TLS_SKIP_VERIFICATION

RENAMED

EF_OUTPUT_ELASTICSEARCH_TLS_SKIP_VERIFICATION

EF_FLOW_OUTPUT_ELASTICSEARCH_TLS_CA_CERT_FILEPATH

RENAMED

EF_OUTPUT_ELASTICSEARCH_TLS_CA_CERT_FILEPATH

EF_FLOW_OUTPUT_ELASTICSEARCH_RETRY_ENABLE

RENAMED

EF_OUTPUT_ELASTICSEARCH_RETRY_ENABLE

EF_FLOW_OUTPUT_ELASTICSEARCH_RETRY_ON_TIMEOUT_ENABLE

RENAMED

EF_OUTPUT_ELASTICSEARCH_RETRY_ON_TIMEOUT_ENABLE

EF_FLOW_OUTPUT_ELASTICSEARCH_MAX_RETRIES

RENAMED

EF_OUTPUT_ELASTICSEARCH_MAX_RETRIES

EF_FLOW_OUTPUT_ELASTICSEARCH_RETRY_BACKOFF

RENAMED

EF_OUTPUT_ELASTICSEARCH_RETRY_BACKOFF

___

NEW

EF_OUTPUT_ELASTICSEARCH_ALLOWED_RECORD_TYPES

OpenSearch Output Options

The primary change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_OPENSEARCH_ENABLE

RENAMED

EF_OUTPUT_OPENSEARCH_ENABLE

EF_FLOW_OUTPUT_OPENSEARCH_ECS_ENABLE

RENAMED

EF_OUTPUT_OPENSEARCH_ECS_ENABLE

EF_FLOW_OUTPUT_OPENSEARCH_BATCH_DEADLINE

RENAMED

EF_OUTPUT_OPENSEARCH_BATCH_DEADLINE

EF_FLOW_OUTPUT_OPENSEARCH_BATCH_MAX_BYTES

RENAMED

EF_OUTPUT_OPENSEARCH_BATCH_MAX_BYTES

EF_FLOW_OUTPUT_OPENSEARCH_TIMESTAMP_SOURCE

RENAMED

EF_OUTPUT_OPENSEARCH_TIMESTAMP_SOURCE

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_PERIOD

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_PERIOD

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_SUFFIX

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_SUFFIX

EF_FLOW_OUTPUT_OPENSEARCH_DROP_FIELDS

RENAMED

EF_OUTPUT_OPENSEARCH_DROP_FIELDS

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_ENABLE

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_ENABLE

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_OVERWRITE

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_OVERWRITE

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_SHARDS

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_SHARDS

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_REPLICAS

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_REPLICAS

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_CODEC

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_CODEC

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_ISM_POLICY

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_ISM_POLICY

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_PIPELINE_DEFAULT

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_PIPELINE_DEFAULT

EF_FLOW_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_PIPELINE_FINAL

RENAMED

EF_OUTPUT_OPENSEARCH_INDEX_TEMPLATE_PIPELINE_FINAL

EF_FLOW_OUTPUT_OPENSEARCH_ADDRESSES

RENAMED

EF_OUTPUT_OPENSEARCH_ADDRESSES

EF_FLOW_OUTPUT_OPENSEARCH_USERNAME

RENAMED

EF_OUTPUT_OPENSEARCH_USERNAME

EF_FLOW_OUTPUT_OPENSEARCH_PASSWORD

RENAMED

EF_OUTPUT_OPENSEARCH_PASSWORD

EF_FLOW_OUTPUT_OPENSEARCH_CLIENT_CA_CERT_FILEPATH

RENAMED

EF_OUTPUT_OPENSEARCH_CLIENT_CA_CERT_FILEPATH

EF_FLOW_OUTPUT_OPENSEARCH_CLIENT_CERT_FILEPATH

RENAMED

EF_OUTPUT_OPENSEARCH_CLIENT_CERT_FILEPATH

EF_FLOW_OUTPUT_OPENSEARCH_CLIENT_KEY_FILEPATH

RENAMED

EF_OUTPUT_OPENSEARCH_CLIENT_KEY_FILEPATH

EF_FLOW_OUTPUT_OPENSEARCH_TLS_ENABLE

RENAMED

EF_OUTPUT_OPENSEARCH_TLS_ENABLE

EF_FLOW_OUTPUT_OPENSEARCH_TLS_SKIP_VERIFICATION

RENAMED

EF_OUTPUT_OPENSEARCH_TLS_SKIP_VERIFICATION

EF_FLOW_OUTPUT_OPENSEARCH_TLS_CA_CERT_FILEPATH

RENAMED

EF_OUTPUT_OPENSEARCH_TLS_CA_CERT_FILEPATH

EF_FLOW_OUTPUT_OPENSEARCH_RETRY_ENABLE

RENAMED

EF_OUTPUT_OPENSEARCH_RETRY_ENABLE

EF_FLOW_OUTPUT_OPENSEARCH_RETRY_ON_TIMEOUT_ENABLE

RENAMED

EF_OUTPUT_OPENSEARCH_RETRY_ON_TIMEOUT_ENABLE

EF_FLOW_OUTPUT_OPENSEARCH_MAX_RETRIES

RENAMED

EF_OUTPUT_OPENSEARCH_MAX_RETRIES

EF_FLOW_OUTPUT_OPENSEARCH_RETRY_BACKOFF

RENAMED

EF_OUTPUT_OPENSEARCH_RETRY_BACKOFF

___

NEW

EF_OUTPUT_OPENSEARCH_ALLOWED_RECORD_TYPES

Splunk Output Options

The only change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_SPLUNK_HEC_ENABLE

RENAMED

EF_OUTPUT_SPLUNK_HEC_ENABLE

EF_FLOW_OUTPUT_SPLUNK_HEC_CIM_ENABLE

RENAMED

EF_OUTPUT_SPLUNK_HEC_CIM_ENABLE

EF_FLOW_OUTPUT_SPLUNK_HEC_ADDRESSES

RENAMED

EF_OUTPUT_SPLUNK_HEC_ADDRESSES

EF_FLOW_OUTPUT_SPLUNK_HEC_TOKEN

RENAMED

EF_OUTPUT_SPLUNK_HEC_TOKEN

EF_FLOW_OUTPUT_SPLUNK_HEC_BATCH_MAX_BYTES

RENAMED

EF_OUTPUT_SPLUNK_HEC_BATCH_MAX_BYTES

EF_FLOW_OUTPUT_SPLUNK_HEC_BATCH_DEADLINE

RENAMED

EF_OUTPUT_SPLUNK_HEC_BATCH_DEADLINE

EF_FLOW_OUTPUT_SPLUNK_HEC_TLS_ENABLE

RENAMED

EF_OUTPUT_SPLUNK_HEC_TLS_ENABLE

EF_FLOW_OUTPUT_SPLUNK_HEC_TLS_SKIP_VERIFICATION

RENAMED

EF_OUTPUT_SPLUNK_HEC_TLS_SKIP_VERIFICATION

EF_FLOW_OUTPUT_SPLUNK_HEC_TLS_CA_CERT_FILEPATH

RENAMED

EF_OUTPUT_SPLUNK_HEC_TLS_CA_CERT_FILEPATH

EF_FLOW_OUTPUT_SPLUNK_HEC_DROP_FIELDS

RENAMED

EF_OUTPUT_SPLUNK_HEC_DROP_FIELDS

Kafka Output Options

The primary change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_KAFKA_ENABLE

RENAMED

EF_OUTPUT_KAFKA_ENABLE

EF_FLOW_OUTPUT_KAFKA_BROKERS

RENAMED

EF_OUTPUT_KAFKA_BROKERS

EF_FLOW_OUTPUT_KAFKA_VERSION

RENAMED

EF_OUTPUT_KAFKA_VERSION

EF_FLOW_OUTPUT_KAFKA_TOPIC

RENAMED

EF_OUTPUT_KAFKA_TOPIC

EF_FLOW_OUTPUT_KAFKA_CLIENT_ID

RENAMED

EF_OUTPUT_KAFKA_CLIENT_ID

EF_FLOW_OUTPUT_KAFKA_PARTITION_KEY

RENAMED

EF_OUTPUT_KAFKA_PARTITION_KEY

EF_FLOW_OUTPUT_KAFKA_RACK_ID

RENAMED

EF_OUTPUT_KAFKA_RACK_ID

EF_FLOW_OUTPUT_KAFKA_TIMEOUT

RENAMED

EF_OUTPUT_KAFKA_TIMEOUT

EF_FLOW_OUTPUT_KAFKA_SASL_ENABLE

RENAMED

EF_OUTPUT_KAFKA_SASL_ENABLE

EF_FLOW_OUTPUT_KAFKA_SASL_USERNAME

RENAMED

EF_OUTPUT_KAFKA_SASL_USERNAME

EF_FLOW_OUTPUT_KAFKA_SASL_PASSWORD

RENAMED

EF_OUTPUT_KAFKA_SASL_PASSWORD

EF_FLOW_OUTPUT_KAFKA_TLS_ENABLE

RENAMED

EF_OUTPUT_KAFKA_TLS_ENABLE

EF_FLOW_OUTPUT_KAFKA_TLS_CA_CERT_FILEPATH

RENAMED

EF_OUTPUT_KAFKA_TLS_CA_CERT_FILEPATH

EF_FLOW_OUTPUT_KAFKA_TLS_CERT_FILEPATH

RENAMED

EF_OUTPUT_KAFKA_TLS_CERT_FILEPATH

EF_FLOW_OUTPUT_KAFKA_TLS_KEY_FILEPATH

RENAMED

EF_OUTPUT_KAFKA_TLS_KEY_FILEPATH

EF_FLOW_OUTPUT_KAFKA_TLS_SKIP_VERIFICATION

RENAMED

EF_OUTPUT_KAFKA_TLS_SKIP_VERIFICATION

EF_FLOW_OUTPUT_KAFKA_PRODUCER_MAX_MESSAGE_BYTES

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_MAX_MESSAGE_BYTES

EF_FLOW_OUTPUT_KAFKA_PRODUCER_REQUIRED_ACKS

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_REQUIRED_ACKS

EF_FLOW_OUTPUT_KAFKA_PRODUCER_TIMEOUT

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_TIMEOUT

EF_FLOW_OUTPUT_KAFKA_PRODUCER_COMPRESSION

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_COMPRESSION

EF_FLOW_OUTPUT_KAFKA_PRODUCER_COMPRESSION_LEVEL

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_COMPRESSION_LEVEL

EF_FLOW_OUTPUT_KAFKA_PRODUCER_FLUSH_BYTES

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_FLUSH_BYTES

EF_FLOW_OUTPUT_KAFKA_PRODUCER_FLUSH_MESSAGES

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_FLUSH_MESSAGES

EF_FLOW_OUTPUT_KAFKA_PRODUCER_FLUSH_FREQUENCY

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_FLUSH_FREQUENCY

EF_FLOW_OUTPUT_KAFKA_PRODUCER_FLUSH_MAX_MESSAGES

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_FLUSH_MAX_MESSAGES

EF_FLOW_OUTPUT_KAFKA_PRODUCER_RETRY_MAX

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_RETRY_MAX

EF_FLOW_OUTPUT_KAFKA_PRODUCER_RETRY_BACKOFF

RENAMED

EF_OUTPUT_KAFKA_PRODUCER_RETRY_BACKOFF

EF_FLOW_OUTPUT_KAFKA_DROP_FIELDS

RENAMED

EF_OUTPUT_KAFKA_DROP_FIELDS

___

NEW

EF_OUTPUT_KAFKA_ALLOWED_RECORD_TYPES

Cribl Stream Output Options

The only change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_CRIBL_ENABLE

RENAMED

EF_OUTPUT_CRIBL_ENABLE

EF_FLOW_OUTPUT_CRIBL_ADDRESSES

RENAMED

EF_OUTPUT_CRIBL_ADDRESSES

EF_FLOW_OUTPUT_CRIBL_TOKEN

RENAMED

EF_OUTPUT_CRIBL_TOKEN

EF_FLOW_OUTPUT_CRIBL_BATCH_DEADLINE

RENAMED

EF_OUTPUT_CRIBL_BATCH_DEADLINE

EF_FLOW_OUTPUT_CRIBL_BATCH_MAX_BYTES

RENAMED

EF_OUTPUT_CRIBL_BATCH_MAX_BYTES

EF_FLOW_OUTPUT_CRIBL_TLS_ENABLE

RENAMED

EF_OUTPUT_CRIBL_TLS_ENABLE

EF_FLOW_OUTPUT_CRIBL_TLS_SKIP_VERIFICATION

RENAMED

EF_OUTPUT_CRIBL_TLS_SKIP_VERIFICATION

EF_FLOW_OUTPUT_CRIBL_TLS_CA_CERT_FILEPATH

RENAMED

EF_OUTPUT_CRIBL_TLS_CA_CERT_FILEPATH

EF_FLOW_OUTPUT_CRIBL_DROP_FIELDS

RENAMED

EF_OUTPUT_CRIBL_DROP_FIELDS

Generic HTTP Output Options

5.6.x Option
Status
Notes for 6.0

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_ENABLE

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_ECS_ENABLE

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_BATCH_DEADLINE

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_BATCH_MAX_BYTES

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_ADDRESSES

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_USERNAME

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_PASSWORD

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_TLS_ENABLE

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_TLS_SKIP_VERIFICATION

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_TLS_CA_CERT_FILEPATH

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_DROP_FIELDS

___

NEW

EF_FLOW_OUTPUT_GENERIC_HTTP_TIMESTAMP_SOURCE

RiskIQ Output Options

The only change is that FLOW_ has been removed from the option names.

5.6.x Option
Status
Notes for 6.0

EF_FLOW_OUTPUT_RISKIQ_ENABLE

RENAMED

EF_OUTPUT_RISKIQ_ENABLE

EF_FLOW_OUTPUT_RISKIQ_HOST

RENAMED

EF_OUTPUT_RISKIQ_HOST

EF_FLOW_OUTPUT_RISKIQ_PORT

RENAMED

EF_OUTPUT_RISKIQ_PORT

EF_FLOW_OUTPUT_RISKIQ_CUSTOMER_UUID

RENAMED

EF_OUTPUT_RISKIQ_CUSTOMER_UUID

EF_FLOW_OUTPUT_RISKIQ_CUSTOMER_ENCRYPTION_KEY

RENAMED

EF_OUTPUT_RISKIQ_CUSTOMER_ENCRYPTION_KEY

PreviousSample RateNextUnified SNMP Collector