NetFlow
Synopsis
Creates a NetFlow collector that accepts flow data over UDP connections. Supports high-volume collection with multiple workers and configurable buffer sizes.
The collector only supports legacy NetFlow types, such as NetFlow v5. For NetFlow v9, use the ipfix collector type.
For details, see Appendix.
Schema
- id: <numeric>
name: <string>
description: <string>
type: netflow
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
address: <string>
port: <numeric>
workers: <numeric>
reuse: <boolean>
Configuration
The following fields are used to define the device:
Device
| Field | Required | Default | Description |
|---|---|---|---|
id | Y | Unique identifier | |
name | Y | Device name | |
description | N | - | Optional description |
type | Y | Must be netflow | |
tags | N | - | Optional tags |
pipelines | N | - | Optional pre-processor pipelines |
status | N | true | Enable/disable the device |
Connection
| Field | Required | Default | Description |
|---|---|---|---|
address | N | "0.0.0.0" | Listen address |
port | N | 2055 | Listen port |
workers | N | CPU count | Number of worker goroutines |
reuse | N | false | Enable socket address reuse |
Details
NetFlow, sFlow, and IPFIX devices share a common flow collection backend (backend/module/listener/flow/). The thin per-protocol controller sets the flow type and default port.
When reuse is enabled, the collector spawns multiple workers which maintain their own UDP listeners, process flows independently, and write to dedicated queue files. The collector scales up to use all available CPU cores.
The collector supports fixed format NetFlow v5 records, application identification, port-based protocol mapping, flow state tracking, and statistical aggregation.
Examples
The following are commonly used configuration types.
Basic
Creating a simple NetFlow v5 collector on the default port... | |
High-Volume
Optimizing for high flow volumes using multiple workers... | |
NetFlow collector with application identification enabled... | |