| Status | |
|---|---|
| Stability | alpha: logs |
| Distributions | contrib |
| Issues |   |
| Code Owners | @evan-bradley, @dlopes7 |
The netflow receiver can listen for netflow, sflow, and ipfix data and convert it to OpenTelemetry logs. The receiver is based on the goflow2 project.
This gives OpenTelemetry users the capability of monitoring network traffic, and answer questions like:
- Which protocols are passing through the network?
- Which servers and clients are producing the highest amount of traffic?
- What ports are involved in these network calls?
- How many bytes and packets are being sent and received?
By default the receiver will listen for ipfix and netflow on port 2055. The receiver can be configured to listen on different ports and protocols.
Example configuration:
receivers:
netflow:
- scheme: netflow
port: 2055
sockets: 16
workers: 32
netflow/sflow:
- scheme: sflow
port: 6343
sockets: 16
workers: 32
processors:
batch:
send_batch_size: 2000
timeout: 30s
exporters:
debug:
verbosity: detailed
service:
pipelines:
logs:
receivers: [netflow, netflow/sflow]
processors: [batch]
exporters: [debug]
telemetry:
logs:
level: debugWe recommend using the batch processor to reduce the number of log requests being sent to the exporter. The batch processor will batch log records together and send them in a single request to the exporter.
You would then configure your network devices to send netflow, sflow, or ipfix data to the Collector on the specified ports.
| Field | Description | Examples | Default |
|---|---|---|---|
| scheme | The type of flow data that to receive | sflow, netflow |
netflow |
| hostname | The hostname or IP address to bind to | localhost |
0.0.0.0 |
| port | The port to bind to | 2055 or 6343 |
2055 |
| sockets | The number of sockets to use | 1 | 1 |
| workers | The number of workers used to decode incoming flow messages | 2 | 2 |
| queue_size | The size of the incoming netflow packets queue, it will always be at least 1000. | 5000 | 1000 |
The netflow data is standardized for the different schemas and is converted to OpenTelemetry log records following the semantic conventions
The log record will have the following attributes (with examples):
- source.address: Str(132.189.238.100)
- source.port: Int(1255)
- destination.address: Str(241.171.33.110)
- destination.port: Int(64744)
- network.transport: Str(tcp)
- network.type: Str(ipv4)
- flow.io.bytes: Int(853)
- flow.io.packets: Int(83)
- flow.type: Str(netflow_v5)
- flow.sequence_num: Int(191)
- flow.time_received: Int(1736309689918929427)
- flow.start: Int(1736309689830846400)
- flow.end: Int(1736309689871846400)
- flow.sampling_rate: Int(0)
- flow.sampler_address: Str(172.28.176.1)
The log record timestamps will be:
- Observed timestamp: The time the flow was received.
- Timestamp: The flow
startfield.
- Process Template Records if present
- Process Netflow V5, V9, and IPFIX messages
- Extract the attributes documented above
- Mapping of custom fields is not yet supported
- Process sFlow version 5 datagrams
flow_sampleandflow_sample_expandedare supported.counter_sampleandcounter_sample_expandedare NOT yet supported.- Mapping of custom fields is not yet supported