IPPORT Enricher not working

lsonzogni · August 29, 2024, 1:35pm

I’ve configured:

EF_PROCESSOR_ENRICH_APP_IPPORT_ENABLE: “true”
EF_PROCESSOR_ENRICH_APP_IPPORT_PATH: “/etc/elastiflow/app/ipport.yml”
EF_PROCESSOR_ENRICH_APP_IPPORT_PRIVATE: “true”
EF_PROCESSOR_ENRICH_APP_IPPORT_PUBLIC: “false”
EF_PROCESSOR_ENRICH_APP_REFRESH_RATE: 5

and in the file ipport.yml:

ipport

but ElastFlow does not identify the applications defined.

Any sugestion??..may be ipport.yml syntax??

dxturner · August 29, 2024, 2:33pm

Hard to tell from the image, actual text is easier to troubleshoot, but yes, it could be the syntax. You can find online YAML file syntax checkers and I often use those to validate the syntax.

lsonzogni · August 29, 2024, 8:03pm

Now is working. It was a syntax problem.

The “metadata” must use properties names between double quotes.

Example:

8530:
name: “WsusHTTP”
category: “Infraestructura”
subcategory: “WSUS”
metadata:
“business.unit”: “tecnologia”
“tcp.flags.tags”: “WSUS”

Just like the documentation:
https://docs.elastiflow.com/docs/config_ref/flowcoll/enrich_apps#ef_processor_enrich_app_ipport_path

dxturner · August 29, 2024, 8:16pm

Thanks for the update! It’s helpful for people who might have the same issue.

Topic		Replies	Views
ElastiFlow (flow): Mitre ATT&CK Saved Objects Not Working ElastiFlow Community flow-collector	2	23	September 7, 2024
The interface is not recognized ElastiFlow Community kibana , dashboards , elasticsearch , flow-collector	10	99	July 18, 2024
Abount netif.yml ElastiFlow Community flow-collector	2	35	August 1, 2024
Rename interface ElastiFlow Community	3	59	July 14, 2024
About Statistics ElastiFlow Community	4	47	July 28, 2024

IPPORT Enricher not working

Related Topics