A number of templates are available that allow LogRhythm to pull in different vendor schemas to collect all data from IPFIX logs. These are
-
Gigamon
-
Netscalar
-
Adtran
You can locate them in the C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema folder. The folder also contains a PEN.ini file that contains all the vendor names you can collect from.
Running a Wireshark on the data received in the IPFIX stream shows the fields that are being sent. Those that have Pen provided: No are default values and are picked up even without a vendor-specific file Those with Pen provided: Yes are specific to that vendor and in order to parse these fields, a vendor-specific ini is required.This ini maps each field's ElementID to a name and data type.
To set up a vendor-specific .ini file
-
Ask the vendor for their IPFIX Specification, or iespec, file, which must contain the following:ElementIDnamedata type
-
If the file comes in a format other than the one LogRhythm uses, as shown by the templates, you must convert it.Open the file in a text editor.Using the Replace all function with the Search Mode set to Regular Expression, find ([\w_-]+)\(\d+/(\d+)\)(<\w+>) and replace it with $2=$1 $3.
-
Add the PEN number to the top of the file with brackets around it. The name of the ini is case-sensitive, so make sure you capitalize it the same as in the PEN.ini. PEN numbers can be found at https://www.iana.org/assignments/enterprise-numbers.
-
Save the file in C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema.
-
Add the vendor to the PEN.ini file using the same case sensitivity you used in the specific .ini file.