"data": []
}
}
+
+Event type: Netflow
+-------------------
+
+Fields
+~~~~~~
+
+* "age": duration of the flow (measured from timestamp of last packet and first packet)
+* "bytes": total number of bytes to client
+* "end": date of the end of the flow
+* "max_ttl": maximum observed Time-To-Live (TTL) value
+* "min_ttl": minimum observed TTL value
+* "pkts": total number of packets to client
+* "start": date of start of the flow
+* "tx_cnt": number of transactions seen in the flow (only present if flow has an application layer)
+
+Example ::
+
+ "netflow": {
+ "pkts": 1,
+ "bytes": 160,
+ "start": "2013-02-26T17:02:42.907340-0500",
+ "end": "2013-02-26T17:02:42.907340-0500",
+ "age": 0,
+ "min_ttl": 1,
+ "max_ttl": 1
+ }
The logger is disabled by default since ARP can generate a large
number of events.
+Netflow
+~~~~~~~
+
+Netflow records closely relate to flow records except that they are unidirectional while flow records
+are bidirectional. This means that there will be twice as many netflow records as there are flow records.
+
+Netflow records are disabled by default.
+
+YAML::
+
+ #- netflow
+
+To enable netflow, change this to::
+
+ - netflow:
+ enabled: yes
+
MQTT
~~~~
"additionalProperties": false,
"properties": {
"age": {
- "type": "integer"
+ "type": "integer",
+ "description": "Duration of the flow (measured from timestamp of last packet and first packet)",
+ "suricata": {
+ "keywords": [
+ "flow.age"
+ ]
+ }
},
"bytes": {
- "type": "integer"
+ "type": "integer",
+ "description": "Total number of bytes transferred to server/client",
+ "suricata": {
+ "keywords": [
+ "flow.bytes",
+ "flow.bytes_toserver",
+ "flow.bytes_toclient"
+ ]
+ }
},
"end": {
- "type": "string"
+ "type": "string",
+ "description": "Date of the end of the flow"
},
"max_ttl": {
- "type": "integer"
+ "type": "integer",
+ "description": "Maximum observed Time-To-Live (TTL) value"
},
"min_ttl": {
- "type": "integer"
+ "type": "integer",
+ "description": "Minimum observed TTL value"
},
"pkts": {
- "type": "integer"
+ "type": "integer",
+ "description": "Total number of packets transferred to server,client",
+ "suricata": {
+ "keywords": [
+ "flow.pkts",
+ "flow.pkts_toserver",
+ "flow.pkts_toclient"
+ ]
+ }
},
"start": {
- "type": "string"
+ "type": "string",
+ "description": "Date of start of the flow"
},
"tx_cnt": {
- "type": "integer"
+ "type": "integer",
+ "description": "Number of transactions seen in the flow (only present if flow has an application layer)"
}
},
"optional": true