App enrichment in Elastiflow

garciajdusa · February 8, 2025, 12:23am

Any pointers on how to enable Application enrichment?
As soon as I enabled these options, the flowcoll service failed to load after a restart. What am I missing here?

EF_PROCESSOR_ENRICH_APP_ID_ENABLE: “true”
EF_PROCESSOR_DECODE_IPFIX_ENABLE: “true”

dxturner · February 8, 2025, 1:48am

What is the error in the logs? What is the config file?

garciajdusa · February 8, 2025, 6:01pm

Is a wall of text bad form? Everything was working until I added the 2 lines above. Now the service won’t start.

garciajdusa · February 8, 2025, 6:02pm

dxturner · February 8, 2025, 6:27pm

Well, if you added two lines and it broke, I’d take one out and try again to see which one broke it

Actually, I think I know the issue. I think you need to provide a path to the app id lookup file. This feature allows you to create a look up for apps that are not learned from the option data. If you enable it, it expects to have a file to read/load.

Let us know if that helps.

Thanks,
Dexter

garciajdusa · February 8, 2025, 7:04pm

OK, the service is loading now. Thank you.

Is there anything else I need to do to see actual L7 applications?

garciajdusa · February 8, 2025, 7:07pm

Is it because my switch needs to be definied in the appid.yml file?

garciajdusa · February 8, 2025, 8:53pm

OK, just needed to enable app-recognition on my switch. It’s working now! Thanks for your help.

Topic		Replies	Views
How to get appid.yml ElastiFlow Community	3	131	April 24, 2025
IPPORT Enricher not working ElastiFlow Community	4	101	September 28, 2024
ElastiFlow (flow): Mitre ATT&CK Saved Objects Not Working ElastiFlow Community flow-collector	1	124	September 7, 2024
Brand new to Elastiflow. Need help seeing flows in my Dashboards ElastiFlow Community	4	277	February 28, 2025
Upgraded to 7.5.2 and now can't ingest flows or start without errors ElastiFlow Community	2	196	January 4, 2025

App enrichment in Elastiflow

Related topics