|
| 1 | +UniRec (output plugin) |
| 2 | +====================== |
| 3 | + |
| 4 | +The plugin converts flow records into UniRec records and sends that via TRAP output interface. |
| 5 | + |
| 6 | + |
| 7 | +Example configuration |
| 8 | +--------------------- |
| 9 | + |
| 10 | +Below you can see a configuration with.... |
| 11 | + |
| 12 | +Parameters |
| 13 | +---------- |
| 14 | + |
| 15 | +:``uniRecFormat``: |
| 16 | + Comma separated list of UniRec fields. All fields are mandatory be default, therefore, if |
| 17 | + a flow record to convert doesn't contain all mandatory fields, it will be dropped. |
| 18 | + UniRec fields that start with '?' are optional and they are filled with default values if |
| 19 | + not present in the record (e.g. TCP_FLAGS). |
| 20 | + For example, "DST_IP,SRC_IP,BYTES,DST_PORT,?TCP_FLAGS,SRC_PORT,PROTOCOL". |
| 21 | + List of all supported UniRec fields is defined in `unirec-element.txt <unirec-elements.txt>`_ |
| 22 | + file. |
| 23 | + |
| 24 | +:``trapIfcCommon``: |
| 25 | + The following parameters can be used with any type of a TRAP interface. There are parameters |
| 26 | + of the interface that are normally let default. It is possible to override them by user. The |
| 27 | + available parameters are: |
| 28 | + |
| 29 | + :``timeout``: |
| 30 | + Time in microseconds that the output interface can block waiting for message to be send. |
| 31 | + There are also special values: "WAIT" (block indefinitely), "NO_WAIT" (don't block), |
| 32 | + "HALF_WAIT" (block only if some client is connected). [default: "HALF_WAIT"] |
| 33 | + |
| 34 | + :``buffer``: |
| 35 | + Enable buffering of data and sending in larger bulks (increases throughput) |
| 36 | + [default: true] |
| 37 | + |
| 38 | + :``autoflush``: |
| 39 | + Automatically flush data even if the output buffer is not full every X microseconds. |
| 40 | + If the automatic flush is disabled (value 0), data are not send until the buffer is full. |
| 41 | + [default: 500000] |
| 42 | + |
| 43 | +:``trapIfcSpec``: |
| 44 | + Specification of interface type and its parameters. Only one of the following output type can |
| 45 | + be used at the same time: unix, tcp, tcp-tls, file. For more details, see section |
| 46 | + "Output interface types". |
| 47 | + |
| 48 | +Output interface types |
| 49 | +---------------------- |
| 50 | + |
| 51 | +:``unix``: |
| 52 | + Communicates through a UNIX socket. The output interface creates a socket and listens, input |
| 53 | + interface connects to it. There may be more than one input interfaces connected to the output |
| 54 | + interface, every input interface will get the same data. Parameters: |
| 55 | + |
| 56 | + :``name``: |
| 57 | + Socket name. Any string usable as a file name. |
| 58 | + |
| 59 | + :``maxClients``: |
| 60 | + Maximal number of connected clients (input interfaces). [default: 64] |
| 61 | + |
| 62 | +:``tcp``: |
| 63 | + Communicates through a TCP socket. The output interface listens on a given port, input |
| 64 | + interface connects to it. There may be more than one input interfaces connected to the output |
| 65 | + interface, every input interface will get the same data. Parameters: |
| 66 | + |
| 67 | + :``port``: |
| 68 | + Local port number |
| 69 | + |
| 70 | + :``maxClients``: |
| 71 | + Maximal number of connected clients (input interfaces). [default: 64] |
| 72 | + |
| 73 | +:``tcp-tls``: |
| 74 | + Communicates through a TCP socket after establishing encrypted connection. You have to |
| 75 | + provide a certificate, a private key and a CA chain file with trusted CAs. Otherwise same |
| 76 | + as TCP: The output interface listens on a given port, input interface connects to it. |
| 77 | + There may be more than one input interfaces connected to the output interface, |
| 78 | + every input interface will get the same data. Parameters: |
| 79 | + |
| 80 | + :``port``: |
| 81 | + Local port number |
| 82 | + |
| 83 | + :``maxClients``: |
| 84 | + Maximal number of connected clients (input interfaces). [default: 64] |
| 85 | + |
| 86 | + :``keyFile``: |
| 87 | + Path to a file of a private key in PEM format. |
| 88 | + |
| 89 | + :``certFile``: |
| 90 | + Path to a file of certificate chain in PEM format. |
| 91 | + |
| 92 | + :``caFile``: |
| 93 | + Path to a file of trusted CA certificates in PEM format. |
| 94 | + |
| 95 | +:``file``: |
| 96 | + Store UniRec records into a file. The interface allows to split data into multiple files |
| 97 | + after a specified time or a size of the file. If both options are enabled at the same time, |
| 98 | + the data are split primarily by time, and only if a file of one time interval exceeds |
| 99 | + the size limit, it is further splitted. The index of size-splitted file is appended after the |
| 100 | + time. Parameters: |
| 101 | + |
| 102 | + :``name``: |
| 103 | + Name of the output file. |
| 104 | + |
| 105 | + :``mode``: |
| 106 | + Output mode: ``write``/``append``. If the specified file exists, mode ``write`` overwrites |
| 107 | + it, mode append creates a new file with an integer suffix. [default: ``write``] |
| 108 | + |
| 109 | + :``time``: |
| 110 | + If the parameter is non-zero, the output interface will split captured data to individual |
| 111 | + files as often, as value of this parameter (in minutes) indicates. The output interface |
| 112 | + creates unique file name for each file according to current timestamp in format: |
| 113 | + "filename.YYYYmmddHHMM". [default: 0] |
| 114 | + |
| 115 | + :``size``: |
| 116 | + If the parameter is non-zero, the output interface will split captured data into individual |
| 117 | + files after a size of a current file (in MB) exceeds given threshold. Numeric suffix is |
| 118 | + added to the original file name for each file in ascending order starting with 0. |
| 119 | + [default: 0] |
0 commit comments