NetFlow/IPFIX Data Records (20001)
Description
Original Flow Data Converter for data records translates NetFlow v5, v9, and IPFIX (including Cisco ASA NSEL, Cisco High-Speed Logging (HSL), Cisco Application Visibility and Control (AVC), and Palo Alto Networks NetFlow) records into syslog messages 1-to-1. Each NetFlow record is converted into a syslog message in the “key=value” format. The table below shows a partial list of key values.
| Field Type | Value | Length (bytes) | Description | Key |
|---|---|---|---|---|
| IN_BYTES | 1 | N (default is 4) | Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow. | bytes_in |
| IN_PKTS | 2 | N (default is 4) | Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow | packets_in |
| FLOWS | 3 | N | Number of flows that were aggregated; default for N is 4 | flow_count |
| PROTOCOL | 4 | 1 | IP protocol byte | protocol |
| SRC_TOS | 5 | 1 | Type of Service byte setting when entering incoming interface | src_tos |
| TCP_FLAGS | 6 | 1 | Cumulative OR of all the TCP flags seen for this flow | tcp_flag |
| L4_SRC_PORT | 7 | 2 | TCP/UDP source port number i.e.: FTP, Telnet, or equivalent | src_port |
| IPV4_SRC_ADDR | 8 | 4 | IPv4 source address | src_ip |
| SRC_MASK | 9 | 1 | The number of contiguous bits in the source address subnet mask i.e.: the submask in slash notation | src_mask |
| INPUT_SNMP | 10 | N | Input interface index; default for N is 2 but higher values could be used | input_snmp |
| L4_DST_PORT | 11 | 2 | TCP/UDP destination port number i.e.: FTP, Telnet, or equivalent | dest_port |
| IPV4_DST_ADDR | 12 | 4 | IPv4 destination address | dest_ip |
| DST_MASK | 13 | 1 | The number of contiguous bits in the destination address subnet mask i.e.: the submask in slash notation | dest_mask |
| OUTPUT_SNMP | 14 | N | Output interface index; default for N is 2 but higher values could be used | output_snmp |
| IPV4_NEXT_HOP | 15 | 4 | IPv4 address of next-hop router | next_hop |
| SRC_AS | 16 | N (default is 2) | Source BGP autonomous system number where N could be 2 or 4 | src_asn |
| DST_AS | 17 | N (default is 2) | Destination BGP autonomous system number where N could be 2 or 4 | dest_asn |
| BGP_IPV4_NEXT_HOP | 18 | 4 | Next-hop router's IP in the BGP domain | bgp_next_hop |
| MUL_DST_PKTS | 19 | N (default is 4) | IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow | mul_dest_packets |
| MUL_DST_BYTES | 20 | N (default is 4) | IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow | mul_dest_bytes |
| LAST_SWITCHED | 21 | 4 | System uptime at which the last packet of this flow was switched | last_time |
| FIRST_SWITCHED | 22 | 4 | System uptime at which the first packet of this flow was switched | first_time |
| OUT_BYTES | 23 | N (default is 4) | Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow | bytes_out |
| OUT_PKTS | 24 | N (default is 4) | Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow. | packets_out |
Input
NetFlow v5, NetFlow v9, Cisco ASA NSEL, Cisco HSL, Cisco AVC, Palo Alto Networks.
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20001" |
| ... | [Varies depending on the template] | ... |