Improved sflow Parsing and Namespaced Configuration with ElastiFlow 5.6

New Features​

• The parser for sFlow sampled_header flow samples has been replaced with our all-new packet parser. The new packet parser supports many more protocol headers and can more flexibly support the various contents and orders of header structures. The most exciting enhancement is support for tunnel and encapsulation technologies such as VXLAN, GRE, PPTP, 4in4, 4in6, 6in4, and 6in6. Tunnel and encapsulating headers are now assigned to their own objects, tunnel, and encap, where the innermost headers and payload are assigned to the flow object. For example, prior to 5.6.0 the flow object would contain attributes from the VXLAN header with no visibility into the traffic within the tunnel. In 5.6.0 the VXLAN header attributes would be assigned to tunnel. The parser then continues decoding the packet, assigning the attributes of the tunneled traffic to flow.

• Global and Namespace scoped output configurations have been introduced. Global scope, which has been the standard behavior of the collector, allows one instance of an output to be run. Namespaces allow for multiple instances of an output to be run. This is useful when it is necessary to send data to two separate platforms of the same type, e.g. two Elasticsearch clusters, with each having different configurations. See the output configuration documentation for more details.

Learn more from the changelog.