Network Interfaces
Flow records generally include the index of ingress and egress interfaces by which the network traffic traversed the exporting device. The ElastiFlow Unified Flow Collector will attempt to determine the names, and additional attributes, of these interfaces as learned from Netflow v9 or IPFIX option records, determined by polling the exporting device using SNMP or specified in user-defined metadata.
The network interface enrichment module provides supplemental information for network interface, such as name (ifName), description (ifDescr), alias (ifAlias), type (ifType), bandwidth (ifSpeed/ifHighSpeed), committed information rate (CIR), user-defined tags, and additional user-defined metadata. Values are cached for improved performance and flow record throughput.
This page provide detailed information about User-Defined Metadata Enrichment.
User-Defined Metadata Enrichment
An example of the format of this file is:
Metadata Types
The User-Defined Metadata enricher supports a combination of pre-defined metadata types as well as the ability to provide custom data as key-value pairs. This section describes the various metadata types. The following table provides a summary of these types.
ifName
string
<object>.netif.name
The textual name of the interface. The value of this object should be the name of the network interface as assigned by the device.
ifDescr
string
<object>.netif.descr
A textual string containing information about the network interface.
ifAlias
string
<object>.netif.alias
An administratively defined "alias" name for the interface.
ifType
unsigned
<object>.netif.type.id, <object>.netif.type.name
The type of interface as specified in IF-MIB (RFC 2233). Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA) via updates to the syntax of the IANAifType textual convention.
ifSpeed
unsigned
<object>.netif.bandwidth.bw
The interface's bandwidth in bits per second.
cirIn
unsigned
<object>.netif.bandwidth.prov.in
The interface's ingress provisioned maximum bandwidth in bits per second.
cirOut
unsigned
<object>.netif.bandwidth.prov.out
The interface's egress provisioned maximum bandwidth in bits per second.
internal
bool
<object>.isInternal
Specifies whether or not the network interface is connected to a network considered to be "internal".
tags
array of strings
<object>.netif.tags
Tags that describe attributes of the network interface.
metadata
sequence of attributes
<object><attribute> or <attribute>
Key-value pairs which will be added at the network interface object or record levels.
metadata
metadata is a list of key-value pairs which will be added as fields to the record. These can either be custom fields specific to the needs of the user, or existing fields from the ElastiFlow CODEX schema. When CODEX fields are specified, the configured metadata value will override any values that already exist in the record.
:::info If you have enabled ECS (Elasticsearch/OpenSearch) or CIM (Splunk) support and want to override values from these schemas, you must specify the CODEX equivalent fields in the metadata attribute. Metadata is applied in the decoder portion of the collector, where all data is still in the CODEX schema. Conversion to other schemas is output-specific and thus occurs at a later phase of processing. :::
Key names can be specified with or without a leading ..
If specified with a leading
., the field will be placed within the parent object containing the network interface.If specified without a leading
., the field will be placed at the root of the record.
Consider a network interface from flow.in.netif.index:
If the metadata key is defined as
.circuit.name, the value would be assigned toflow.in.netif.circuit.name.If the metadata key is defined as
circuit.name, the value would be assigned directly tocircuit.name.