Network Interfaces

Flow records generally include the index of ingress and egress interfaces by which the network traffic traversed the exporting device. The ElastiFlow Unified Flow Collector will attempt to determine the names, and additional attributes, of these interfaces as learned from Netflow v9 or IPFIX option records, determined by polling the exporting device using SNMP or specified in user-defined metadata.

The network interface enrichment module provides supplemental information for network interface, such as name (ifName), description (ifDescr), alias (ifAlias), type (ifType), bandwidth (ifSpeed/ifHighSpeed), committed information rate (CIR), user-defined tags, and additional user-defined metadata. Values are cached for improved performance and flow record throughput.

This page provide detailed information about User-Defined Metadata Enrichment.

User-Defined Metadata Enrichment

An example of the format of this file is:

10.0.0.1:
  1:
    ifName: lo
    ifDescr: lo
    ifAlias: lo
    ifType: 24
    ifSpeed: 10000000
    tags:
      - router_mgmt
    metadata:
      sec.zone.name: network
  3:
    internal: false
    ifName: eth0
    ifDescr: eth0
    ifAlias: internet
    ifType: 6
    ifSpeed: 1000000000
    cirIn: 200000000
    cirOut: 12000000
    tags:
      - verizon
    metadata:
      sec.zone.name: internet

10.0.0.2:
  501:
    ifName: vlan
    ifDescr: vlan
    ifSpeed: 1000000000
  502:
    ifName: ge-0/0/0
    ifDescr: ge-0/0/0
    ifSpeed: 1000000000

Metadata Types

The User-Defined Metadata enricher supports a combination of pre-defined metadata types as well as the ability to provide custom data as key-value pairs. This section describes the various metadata types. The following table provides a summary of these types.

Attribute Data Type Field Populated Description

Attribute	Data Type	Field Populated	Description
`ifName`	string	`<object>.netif.name`	The textual name of the interface. The value of this object should be the name of the network interface as assigned by the device.
`ifDescr`	string	`<object>.netif.descr`	A textual string containing information about the network interface.
`ifAlias`	string	`<object>.netif.alias`	An administratively defined "alias" name for the interface.
`ifType`	unsigned	`<object>.netif.type.id`, `<object>.netif.type.name`	The type of interface as specified in IF-MIB (RFC 2233). Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA) via updates to the syntax of the `IANAifType` textual convention.
`ifSpeed`	unsigned	`<object>.netif.bandwidth.bw`	The interface's bandwidth in bits per second.
`cirIn`	unsigned	`<object>.netif.bandwidth.prov.in`	The interface's ingress provisioned maximum bandwidth in bits per second.
`cirOut`	unsigned	`<object>.netif.bandwidth.prov.out`	The interface's egress provisioned maximum bandwidth in bits per second.
`internal`	bool	`<object>.isInternal`	Specifies whether or not the network interface is connected to a network considered to be "internal".
`tags`	array of strings	`<object>.netif.tags`	Tags that describe attributes of the network interface.
`metadata`	sequence of attributes	`<object><attribute>` or `<attribute>`	Key-value pairs which will be added at the network interface object or record levels.

ifName

string

<object>.netif.name

The textual name of the interface. The value of this object should be the name of the network interface as assigned by the device.

ifDescr

string

<object>.netif.descr

A textual string containing information about the network interface.

ifAlias

string

<object>.netif.alias

An administratively defined "alias" name for the interface.

ifType

unsigned

<object>.netif.type.id, <object>.netif.type.name

The type of interface as specified in IF-MIB (RFC 2233). Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA) via updates to the syntax of the IANAifType textual convention.

ifSpeed

unsigned

<object>.netif.bandwidth.bw

The interface's bandwidth in bits per second.

cirIn

unsigned

<object>.netif.bandwidth.prov.in

The interface's ingress provisioned maximum bandwidth in bits per second.

cirOut

unsigned

<object>.netif.bandwidth.prov.out

The interface's egress provisioned maximum bandwidth in bits per second.

internal

bool

<object>.isInternal

Specifies whether or not the network interface is connected to a network considered to be "internal".

tags

array of strings

<object>.netif.tags

Tags that describe attributes of the network interface.

metadata

sequence of attributes

<object><attribute> or <attribute>

Key-value pairs which will be added at the network interface object or record levels.

metadata

metadata is a list of key-value pairs which will be added as fields to the record. These can either be custom fields specific to the needs of the user, or existing fields from the ElastiFlow CODEX schema. When CODEX fields are specified, the configured metadata value will override any values that already exist in the record.

:::info If you have enabled ECS (Elasticsearch/OpenSearch) or CIM (Splunk) support and want to override values from these schemas, you must specify the CODEX equivalent fields in the metadata attribute. Metadata is applied in the decoder portion of the collector, where all data is still in the CODEX schema. Conversion to other schemas is output-specific and thus occurs at a later phase of processing. :::

Key names can be specified with or without a leading ..

If specified with a leading ., the field will be placed within the parent object containing the network interface.
If specified without a leading ., the field will be placed at the root of the record.

Consider a network interface from flow.in.netif.index:

If the metadata key is defined as .circuit.name, the value would be assigned to flow.in.netif.circuit.name.
If the metadata key is defined as circuit.name, the value would be assigned directly to circuit.name.

PreviousRiskIQ PassiveTotal NextUser-Defined Metadata