ElastiFlowElastiFlow

ElastiFlow 5.4 Releases New Dashboards, 110 New Anomaly Detection Jobs, and Much More.

April 28, 2022

New Features

  • Licensing model has been changed from "per core" to "per FPU (Flow Pack Unit)", where one FPU equals 4000 flows/s. Contact sales@elastiflow.com for more details.

    • The number of decoder "workers" is now independent of the license and can be configured using EF_FLOW_DECODER_POOL_SIZE. This allows the collector to be configured for greater concurrency resulting in better utilization of older multi-core hardware while also minimizing the throughput impact of high-latency enrichment (e.g. DNS reverse lookups). The default pool size is 4 x licensed units.

    • It is possible to burst over the licensed flow rate for up to 20 secs. After a burst period throughput will be limited to the licensed rate for 30 minutes.

  • User-Defined Metadata Enrichment for Network Interface. For more details see: User-Defined Metadata Enrichment.

  • Dedicated OpenSearch output. Previously the Elasticsearch output was used for both Elasticsearch and OpenSearch. There is now a dedicated output for OpenSearch which include only those configuration options specific to OpenSearch. The OpenSearch-related configuration options have been removed from the Elasticsearch output.

  • Cached network interface enrichment features for flow option data, SNMP and User-Defined Metadata have been combined into an all-new combined enrichment module.

    • The contents of the cache are now expired using a configurable time-to-live (TTL).

    • The enrichment features which read external files can reload those files, refreshing values, without having to restart the collector.

  • Dropped fields can now be configured per output (Cribl, Elasticsearch, Kafka, Splunk, OpenSearch, & Logzio) in addition to the ability to drop fields at the decoder level (i.e. globally for all outputs).

  • The sFlow decoder now parses ICMP headers to provide ICMP Type and ICMP Code.

  • New dashboards for Core Network Service Health (DNS, DHCP, RADIUS, LDAP and NTP) and Threat Hunting (DDoS TCP, DDoS Flood, RECON and Brute Force) are provided for Kibana, OpenSearch Dashboards, and Logz.io.

  • New Anomaly Detection jobs, 110 in total, are now available to automate the analysis of network traffic with ElasticFlow's Machine Learning features. These jobs cover the areas of Availability, performance and Network Security. More documentation for these ML jobs will follow.

Learn more from the changelog.