docs/index.asciidoc in logstash-codec-netflow-3.5.1 vs docs/index.asciidoc in logstash-codec-netflow-3.5.2
- old
+ new
@@ -40,14 +40,14 @@
|Cisco ASR | | y | |
|Cisco IOS 12.x | | y | |
|Cisco WLC | | y | |
|Citrix Netscaler | | | y | Still some unknown fields, labeled netscalerUnknown<id>
|fprobe | y | | |
-|Fortigate FortiOS 5.2 | | y | |
+|Fortigate FortiOS | | y | |
|ipt_NETFLOW | y | y | y |
|Juniper MX80 | y | | | SW > 12.3R8
-|Mikrotik 6.35.4 | y | | n | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
+|Mikrotik | y | | y | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
|nProbe | y | y | y |
|OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
|Softflowd | y | y | y | IPFIX supported in https://github.com/djmdjm/softflowd
|Streamcore Streamgroomer | | y | |
|Ubiquiti Edgerouter X | | y | | With MPLS labels
@@ -60,16 +60,35 @@
[source, ruby]
--------------------------
input {
udp {
- port => 2055
+ port => 2055
codec => netflow
}
}
--------------------------
+For high-performance production environments the configuration below will decode up to 6000 flows/sec on an 8 CPU instance. If your total flowrate exceeds 6000 flows/sec, you should use multiple Logstash instances.
+
+
+[source, ruby]
+--------------------------
+input {
+ udp {
+ port => 2055
+ receive_buffer_bytes => 16777216
+ codec => netflow
+ workers => 6
+ }
+--------------------------
+
+Make sure to increase the Linux kernel receive buffer limit:
+
+ # sysctl -w net.core.rmem_max=$((1024*1024*16))
+
+
[id="plugins-{type}s-{plugin}-options"]
==== Netflow Codec Configuration Options
[cols="<,<,<",options="header",]
|=======================================================================
@@ -105,10 +124,10 @@
===== `cache_ttl`
* Value type is <<number,number>>
* Default value is `4000`
-Netflow v9/v10 template cache TTL (minutes)
+Netflow v9/v10 template cache TTL (seconds)
[id="plugins-{type}s-{plugin}-include_flowset_id"]
===== `include_flowset_id`
* Value type is <<boolean,boolean>>