Breadcrumbs

Customize IPFIX Logs

LogRhythm processes IPFIX data primarily using NetFlow v9 compatible templates. For IPFIX with vendor-specific fields:

  1. Standard IPFIX fields compatible with NetFlow v9 will be processed automatically

  2. Vendor-specific IPFIX fields require a custom schema file in the ipfixschema directory

  3. Custom schema files must match the vendor's Private Enterprise Number (PEN)

Pre-configured vendor schemas include Gigamon, Netscalar, and Adtran. You can locate them in the C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema folder. The folder also contains a PEN.ini file that contains all the vendor names you can collect from.

For other vendors, a custom schema file must be created following the format described below.

Running a Wireshark on the data received in the IPFIX stream shows the fields that are being sent. Those that have Pen provided: No are default values and are picked up even without a vendor-specific file Those with Pen provided: Yes are specific to that vendor and in order to parse these fields, a vendor-specific ini is required.This ini maps each field's ElementID to a name and data type.

To set up a vendor-specific .ini file

  1. Ask the vendor for their IPFIX Specification, or iespec, file, which must contain the following:

    • ElementID

    • name

    • data type

  2. If the file comes in a format other than the one LogRhythm uses, as shown by the templates, you must convert it.

    1. Open the file in a text editor.

    2. Using the Replace all function with the Search Mode set to Regular Expression, find ([\w_-]+)\(\d+/(\d+)\)(<\w+>) and replace it with $2=$1 $3.

  3. Add the PEN number to the top of the file with brackets around it. The name of the ini is case-sensitive, so make sure you capitalize it the same as in the PEN.ini. PEN numbers can be found at https://www.iana.org/assignments/enterprise-numbers.

  4. Save the file in C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema.

  5. Add the vendor to the PEN.ini file using the same case sensitivity you used in the specific .ini file.

IPFIX Customization Support