Dear All,
I realised that the flowcoll process is downloading each hour between 70 MB and 80 MB of data. This happens in exactly 60 minutes intervals after the flowcoll process is started and needs less than a minute in my case. Download is done with https from 2606:4700:10::6816:2dc2 most of the time.
In my opinion the system is running amok. I can’t believe that’s necessary to download 70 MB each hour. Are there any logs to dig deeper into this issue ? Or maybe to switch off this behaviour ?
And there is the question, what is it downloading ?
Hi dxturner,
many thanks for your swift answer. Following the documentation I couldn’t find a setup for EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE
The file /etc/elastiflow/flowcoll.yml has only comment lines. So it seems all values are default. All the changes are done in /etc/systemd/system/flowcoll.service.d/flowcoll.conf
But in none of this 2 files is something which could be similar as what is listed in this link.
Any other ideas how I could fix this behaviour ?
But general you are right. In flowcoll.log I can see exactly at that time the following entries:
2025-02-03T23:00:14.205+0100 info ipaddr_enricher.netintel_threats netintel/enricher.go:262 fetching threat type collection and cidr tree
2025-02-03T23:00:15.163+0100 info ipaddr_enricher.netintel_threats netintel/enricher.go:313 Threat Type size: 53230 bytes
2025-02-03T23:00:28.868+0100 info flowcoll.metrics_provider metrics/provider.go:120 gathering metrics
2025-02-03T23:00:30.414+0100 error ipaddr_enricher.netintel_threats netintel/enricher.go:251 error initializing cidr tree {“error”: “context deadline exceeded (Client.Timeout or context cancellation while reading body)”}
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE is enabled by default and there is no specific entry in the configuration file. If you want to disable it you will need to specifically set it to false by adding an entry to the file.
If you are using /etc/systemd/system/flowcoll.service.d/flowcoll.conf for configuration use the “Environment=” syntax in that file to set the value.
As of v6 ElastiFlow started supporting the YAML file configuration in /etc/elastiflow/flowcoll.yml. Though you can have configuration settings in both files, I would recommend using one or the other to avoid conflicts. I prefer flowcoll.yml because I do not have to do sudo systemctl daemon-reload for each change. I only have to do sudo systemctl restart flowcoll.
Hi,
many thanks for this hint. This issue stoped now. Stays the question, why happens this error ? Probably I will upgrade. I am still on version 7.3, I see 7.7 is now available. But if I understand correctly I would need a license in any case, which I don’t have.
We have a default timeout on the download. After getting several reports of people seeing the timeout error, we have increased the default timeout setting.
You can get a “free” basic license that’s good for year by registering here: