Skip to main content
Skip table of contents

Customize IPFIX Logs

LogRhythm processes IPFIX data primarily using NetFlow v9 compatible templates. For IPFIX with vendor-specific fields:

  1. Standard IPFIX fields compatible with NetFlow v9 will be processed automatically

  2. Vendor-specific IPFIX fields require a custom schema file in the ipfixschema directory

  3. Custom schema files must match the vendor's Private Enterprise Number (PEN)

Pre-configured vendor schemas include Gigamon, Netscalar, and Adtran. You can locate them in the C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema folder. The folder also contains a PEN.ini file that contains all the vendor names you can collect from.

For other vendors, a custom schema file must be created following the format described below.

Running a Wireshark on the data received in the IPFIX stream shows the fields that are being sent. Those that have Pen provided: No are default values and are picked up even without a vendor-specific file Those with Pen provided: Yes are specific to that vendor and in order to parse these fields, a vendor-specific ini is required.This ini maps each field's ElementID to a name and data type.

To set up a vendor-specific .ini file

  1. Ask the vendor for their IPFIX Specification, or iespec, file, which must contain the following:

    • ElementID

    • name

    • data type

  2. If the file comes in a format other than the one LogRhythm uses, as shown by the templates, you must convert it.

    1. Open the file in a text editor.

    2. Using the Replace all function with the Search Mode set to Regular Expression, find ([\w_-]+)\(\d+/(\d+)\)(<\w+>) and replace it with $2=$1 $3.

  3. Add the PEN number to the top of the file with brackets around it. The name of the ini is case-sensitive, so make sure you capitalize it the same as in the PEN.ini. PEN numbers can be found at https://www.iana.org/assignments/enterprise-numbers.

  4. Save the file in C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ipfixschema.

  5. Add the vendor to the PEN.ini file using the same case sensitivity you used in the specific .ini file.

IPFIX Customization Support

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close