Skip to main content
Version: Next

Configure Outputs

You may add up to sixteen output destinations, specifying the format and the kind of data to be sent to each destination.

Click on the ‘plus’ symbol to add data outputs and select desired Output Type from the following drp-down.

Output Types​

NFO supports the following types of outputs:

TypeDescription
Syslog (UDP)Indicates the destination where data is sent in syslog format
Syslog (JSON)Indicates the destination where data is sent in JSON format
AWS S3Indicates the destination is AWS S3 buckets
DiskIndicates the destination is a disk
Splunk HECIndicates that the destination is Splunk HEC. NFO sends data to Splunk HEC in key=value format
Splunk Observability MetricsIndicates that the destination is Splunk Observability Cloud (SingalFX)
Azure Blob Storage SyslogIndicates the destination is Azure Blob Storage in Syslog format
Azure Blob Storage JSONIndicates the destination is Azure Blob Storage in JSON format
Azure Log Analytics WorkspaceIndicates the destination is Microsoft Azure Log Analytics Workspace (Azure Monitor, Sentinel)
Kafka SyslogIndicates the destination is Kafka in Syslog format
Kafka JSONIndicates the destination is Kafka in JSON format
OpenSearchIndicates the destination is OpenSearch (e.g. Amazon OpenSearch Service)
ClickHouseIndicates the destination of your ClickHouse database
Repeater (UDP)Indicates that flow data received by NFO should be retransmitted to that destination, e.g your legacy NetFlow collector or another NFO instance

Output Filters​

You can set filters for each output:

Output FilterDescription
AllIndicates the destination for all data generated by NFO, both by Modules and by Original NetFlow/IPFIX/sFlow one-to-one conversion
Modules Output OnlyIndicates the destination will receive data only generated by enabled NFO Modules
Original NetFlow/IPFIX onlyIndicates the destination for all flow data, translated into syslog or JSON, one-to-one. NetFlow/IPFIX Options from Original Flow Data translated into syslog or JSON, one-to-one, also sent to this output. Use this option to archive all underlying flow records NFO processes for forensics. This destination is typically Hadoop or another inexpensive storage, as the volume for this destination can be quite high
Original sFlow onlyIndicates the destination for sFlow data, translated into syslog or JSON, one-to-one. Use this option to archive all underlying sFlow records NFO processes for forensics. This destination is typically configured to send output to inexpensive syslog storage, such as the volume for this destination can be quite high