IPFIX Input

IP Flow Information Export (IPFIX) input allows Graylog to read IPFIX logs and supports all of the standard IANA fields by default. As part of the startup/initialization process, this input waits for templates to be transmitted from the source before it can process messages.

Warning: If the Graylog cluster is behind a LB and the IPFIX logs are distributed across multiple inputs, one input might get the template, and another might get the data records. Consider sending to a single input.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

Any additional vendor/hardware-specific fields that are collected need to be defined in a JSON file. The file needs to provide the private operations number, as well as the additional field definitions collected. Structure the JSON file like the example below:

Copy 
{
  "enterprise_number": PRIVATE ENTERPRISE NUMBER,
  "information_elements": [
    {
      "element_id": ELEMENT ID NUMBER,
      "name": "NAME OF DEFINITION",
      "data_type": "ABSTRACT DATA TYPE"
    },
    ...
    ...
    ...
  {
    "element_id": ELEMENT ID NUMBER,
    "name": "NAME OF DEFINITIONt",
    "data_type": "ABSTRACT DATA TYPE"
  }
  ]
}

See IPFIX Data Types for more information.

Input Type

This Input is a listener input type. See Inputs to learn about Input types.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Global

 Select this check box to enable the input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.
Node

If you choose not to run the input globally, select a specific node on which the input should start.

Title

Assign a unique title to the input. Example: IPFIX Input for XYZ Source.

Bind Address

Enter an IP address on which this input listens. The source system/data sends logs to this IP/input.

Port

Enter a port to use in conjunction with the IP address.
Receive Buffer Size (optional) Depending on the amount of traffic being ingested by the input, this value should be large enough to ensure proper flow of data but small enough to prevent the system from spending resources trying to process the buffered data.
No. of worker threads (optional)

This setting controls how many concurrent threads are used to process incoming data. Increasing the number of threads can enhance data processing speed, resulting in improved throughput. The ideal number of threads to configure depends on the available CPU cores on your Graylog server. A common starting point is to align the number of worker threads with the number of CPU cores. However, it is crucial to strike a balance with other server demands.
Override source (optional)

By default, messages parse the source field as the provided hostname in the log message. However, if you want to override this setting for devices that output non-standard or unconfigurable hostnames, you can set an alternate source name here.

Encoding (optional)

All messages need to support the encoding configured for the input. For example, UTF-8 encoded messages should not be sent to an input configured to support UTF-16.

IPFIX field definitions (optional)

Provide the filepath of the JSON file and the additional field definitions.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: