Customize IPFIX Logs

A number of templates are available that allow LogRhythm to pull in different vendor schemas to collect all data from IPFIX logs. These are

• Gigamon
• Netscalar
• Adtran

You can locate them in the C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema folder. The folder also contains a PEN.ini file that contains all the vendor names you can collect from.

Running a Wireshark on the data received in the IPFIX stream shows the fields that are being sent. Those that have Pen provided: No are default values and are picked up even without a vendor-specific file Those with Pen provided: Yes are specific to that vendor and in order to parse these fields, a vendor-specific ini is required.This ini maps each field's ElementID to a name and data type.

To set up a vendor-specific .ini file

1. Ask the vendor for their IPFIX Specification, or iespec, file, which must contain the following:
   • ElementID
   • name
   • data type
2. If the file comes in a format other than the one LogRhythm uses, as shown by the templates, you must convert it.
   1. Open the file in a text editor.
   2. Using the Replace all function with the Search Mode set to Regular Expression, find ([\w_-]+)\(\d+/(\d+)\)(<\w+>) and replace it with $2=$1 $3.
3. Add the PEN number to the top of the file with brackets around it. The name of the ini is case-sensitive, so make sure you capitalize it the same as in the PEN.ini. PEN numbers can be found at https://www.iana.org/assignments/enterprise-numbers.
4. Save the file in C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema.
5. Add the vendor to the PEN.ini file using the same case sensitivity you used in the specific .ini file.