Hi everyone.
I am trying to setup application enrichment in ElastiFlow following Applications | ElastiFlow but I recognize that you need a file called /etc/elastiflow/app/ipport.yml which is user defined. I don’t mind manually creating this file and inputting IPs and Ports which correspond to different apps.
But I also saw /etc/elastiflow/app/appid.yml which according to the docs is vendor defined. How can I find a file like this for free? I do not have a Fortinet or Cisco firewall to pull this data from.
My Netflow V9 exporter does not support enriching application IDs inside the flows, so I have to resort to manual methods.
While various flow record sources send the mapping of application IDs to applications names as option data. In cases where no application identity technology is available, applications can be statically specified by IP address and port number.
So I think the manual route (defining IPs and Ports in /etc/elastiflow/app/ipport.yml) is the way to go for me.
If you’d like a starting point (and are using ElasticSearch/Kibana as your data collector, if you run this query (in Kibana|Analytics|Discover|“Try ES|QL”|then paste in the below):
FROM elastiflow-flow-codex-*
| WHERE app.name IS NULL and flow.packets > 0
| STATS packets = SUM(flow.packets) BY flow.server.host.name,flow.server.l4.port.name
| SORT packets DESC
| KEEP flow.server.host.name,flow.server.l4.port.name,packets
| LIMIT 20
… you should get a list of the top 20 destinations by server IP/port in your Flow data.
You can then work down the list, identifying what the app is going to the IP/port, and then adding an appropriate entry for it into /etc/elastiflow/app/ipport.yml.