|
| 1 | +lnfstore (output plugin) |
| 2 | +======================== |
| 3 | + |
| 4 | +The plugin converts and store IPFIX flow records into NfDump compatible files. Only a subset of |
| 5 | +IPFIX fields that have NetFlow equivalents are stored into NfDump files. Other fields are discarded. |
| 6 | +Biflow records are split into two unidirectional flow records. |
| 7 | + |
| 8 | +To speed up search of flow records of an IP address in multiple data files, the plugin can also |
| 9 | +create index files. These files will be created simultaneously with data files and they can be |
| 10 | +utilized by tools such as *fdistdump* to promptly determine if there is at least one record |
| 11 | +with the specified IP address in a file. This can dramatically reduce the number of processed |
| 12 | +files and provide query results faster. |
| 13 | + |
| 14 | +How to build |
| 15 | +------------ |
| 16 | + |
| 17 | +By default, the plugin is not distributed with the IPFIXcol itself due to extra dependencies. |
| 18 | +To build the plugin, IPFIXcol (and its header files) and the following dependencies must be |
| 19 | +installed on your system: |
| 20 | + |
| 21 | +- `libnf <https://github.com/VUTBR/libnf>`_ |
| 22 | +- `bloom-filter-indexes <https://github.com/CESNET/bloom-filter-index/>`_ |
| 23 | + |
| 24 | +Finally, compile and install the plugin: |
| 25 | + |
| 26 | +.. code-block:: sh |
| 27 | +
|
| 28 | + $ mkdir build && cd build && cmake .. |
| 29 | + $ make |
| 30 | + # make install |
| 31 | +
|
| 32 | +Example configuration |
| 33 | +--------------------- |
| 34 | + |
| 35 | +.. code-block:: xml |
| 36 | +
|
| 37 | + <output> |
| 38 | + <name>LNF storage</name> |
| 39 | + <plugin>lnfstore</plugin> |
| 40 | + <params> |
| 41 | + <storagePath>/tmp/ipfixcol/</storagePath> |
| 42 | + <compress>yes</compress> |
| 43 | + <dumpInterval> |
| 44 | + <timeWindow>300</timeWindow> |
| 45 | + <align>yes</align> |
| 46 | + </dumpInterval> |
| 47 | + <index> |
| 48 | + <enable>yes</enable> |
| 49 | + <autosize>yes</autosize> |
| 50 | + </index> |
| 51 | + </params> |
| 52 | + </output> |
| 53 | +
|
| 54 | +**Warning**: The storage path *must* already exist in your system. Otherwise all data will be lost. |
| 55 | + |
| 56 | +Parameters |
| 57 | +---------- |
| 58 | + |
| 59 | +:``storagePath``: |
| 60 | + The path element specifies the storage directory for data files. Keep on mind that the path |
| 61 | + must exist in your system. Otherwise, no records are stored. All files will be stored based |
| 62 | + on the configuration using the following template: |
| 63 | + ``<storagePath>/YYYY/MM/DD/lnf.<suffix>`` where ``YYYY/MM/DD`` means year/month/day and |
| 64 | + ``<suffix>`` represents a UTC timestamp in format ``YYMMDDhhmmss``. |
| 65 | + |
| 66 | +:``compress``: |
| 67 | + Enable/disable LZO compression for files. [values: yes/no, default: no] |
| 68 | + |
| 69 | +:``identificatorField``: |
| 70 | + Specifies an identification string, which is put into statistic records to describe |
| 71 | + the source. [default: <empty>] |
| 72 | + |
| 73 | +:``dumpInterval``: |
| 74 | + Configuration of output files rotation. |
| 75 | + |
| 76 | + :``timeWindow``: |
| 77 | + Specifies time interval in seconds to rotate files i.e. close the current file and create |
| 78 | + a new one. [default: 300] |
| 79 | + |
| 80 | + :``align``: |
| 81 | + Align file rotation with next N minute interval. For example, if enabled and window |
| 82 | + size is 5 minutes long, files will be created at 0, 5, 10, etc. |
| 83 | + [values: yes/no, default: yes] |
| 84 | + |
| 85 | +:``index``: |
| 86 | + Configuration of IP address indexes. Index files are independent and exists besides |
| 87 | + "lnf.*" files as "bfi.*" files with matching identification. |
| 88 | + |
| 89 | + :``enable``: |
| 90 | + Enable/disable Bloom Filter indexes. [values: yes/no, default: no] |
| 91 | + |
| 92 | + :``autosize``: |
| 93 | + Enable/disable automatic resize of index files based on the number of unique IP addresses |
| 94 | + in the last dump interval. [values: yes/no, default: yes] |
| 95 | + |
| 96 | + :``estimatedItemCount``: |
| 97 | + Expected number of unique IP addresses in dump interval. If autosize is enabled this |
| 98 | + value is continuously recalculated to suit current utilization. The value affects the |
| 99 | + size of index files i.e. higher value, larger files. [default: 100000] |
| 100 | + |
| 101 | + :``falsePositiveProbability``: |
| 102 | + False positive probability of the index. The probability that presence test of an IP |
| 103 | + address indicates that the IP address is present in a data file, when it actually is not. |
| 104 | + It does not affect the situation when the IP address is actually in the data file i.e. |
| 105 | + if the IP is in the file, the result of the test is always correct. The value affects |
| 106 | + the size of index files i.e. smaller value, larger files. [default: 0.01] |
0 commit comments