Hi Team
I’m glad I can use elastiflow, I’m having a little trouble using ElastiFlow (flow): Flow Exporters (traffic). I can’t display the Ingress Interface name in the Kibana dashboard. The dashboard Ingress Interface appears to display only index: numbers, which doesn’t look very friendly. I hope the switch port number can be displayed, is there any good way
很高兴我可以使用elastiflow,我在使用ElastiFlow (flow): Flow Exporters (traffic)遇到一点小麻烦。我在Kibana仪表盘里面不能显示Ingress Interface 名字。这仪表盘Ingress Interface看起来只显示index:数字,看起来不太友好。我希望可以显示交换机端口编号,请问有什么好办法吗
A screen shot might be helpful. Meanwhile, have you reviewed the documentation on enriching interface information?
Flow records generally include the index of ingress and egress interfaces by which the network traffic traversed the exporting device. The ElastiFlow Unified Flow Collector will attempt to determine the names, and additional attributes, of these...
10.14.254.250:
When I finished the post-configuration, the dashboard interface display name was still not valid。Please check the configuration for me
Hello dxturner
You will need to provide the flowcoll.yml or flowcoll.conf, depending on how you configured the collector, and the flowcoll.log file to be reviewed.
Regards,
conf:
#Environment=“EF_PROCESSOR_ENRICH_NETIF_TTL=7200”
Environment=“EF_PROCESSOR_ENRICH_NETIF_METADATA_ENABLE=true”
Environment=“EF_PROCESSOR_ENRICH_NETIF_FLOW_OPTIONS_ENABLE=true”
Environment=“EF_PROCESSOR_ENRICH_NETIF_SNMP_ENABLE=false”
log:
2024-05-28T10:15:08.868+0800 error netflow9/netflow9.go:59 netflow v9: could not decode flowsets: template not yet received from 10.14.254.250 for session: 16944, observation domain: 257, template ID 257github.com/elastiflow/flowcoll/pkg/processors/flowprocessor/netflow9.Decode github.com/elastiflow/flowcoll/pkg/processors/flowprocessor/process.decodePacket github.com/elastiflow/flowcoll/pkg/processors/flowprocessor/process.ProcessPacket github.com/elastiflow/flowcoll/pkg/processors/flowprocessor.(*FlowProcessor).decodePacket github.com/elastiflow/flowcoll/pkg/processors/flowprocessor.(*FlowProcessor).Run
NETIF.yml
10.14.254.250:
“10.14.254.250::ifName.436305920”: "E1/12
10.14.254.250:
You should check the logs to see if there are any errors in reading the netifs.yml file. The content, as pasted here, does not show any idents, which are part of the yaml format requirements. You can use an online yml format checker to correct as needed.
If SNMP is available, you can use SNMP enrichment so that the ifName can be looked up using the ifIndex, which will keep you from having to maintain the netifs.yml file. More documentation here for reference .
The log message regarding “template not yet received” is normal. As part of the flow data devices will periodically send out a template that describes how to decode the data. In this case, the template has not yet been received. It can take 5, 10, 15 or even 30 minutes for the template to be sent, depending on the device.
Hope this helps.
Regards,
Hi Team
Environment=“EF_PROCESSOR_ENRICH_NETIF_SNMP_ENABLE=true”
rob
June 14, 2024, 1:16pm
8
436305920 is not the value of ifDescr. You need to use…
10.14.254.250:
436305920:
ifName: 'G1/0/1'
ifDescr: 'G1/0/1'
ifAlias: 'inside'
ifType: 24
ifSpeed: 10000000
tags:
- 'router_mgmt'
metadata:
sec.zone.name: 'network'
barrions:
436305920
I have modified the configuration file above, and it has achieved the effect I need
system
July 18, 2024, 12:40pm
11
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
