Skip to main content

IPFix

Push

Synopsis

Creates an IPFix collector that accepts flow data over UDP connections. Supports High-Volume collection with multiple worker processes and configurable buffer sizes.

For details, see Appendix.

Schema

id: <numeric>
name: <string>
description: <string>
type: ipfix
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
  address: <string>
  port: <numeric>
  reuse: <boolean>
  buffer_size: <numeric>

Configuration

The following fields are used to define the device:

Device

FieldRequiredDefaultDescription
idYUnique identifier
nameYDevice name
descriptionN-Optional description
typeYMust be ipfix
tagsN-Optional tags
pipelinesN-Optional pre-processor pipelines
statusNtrueEnable/disable the device

Connection

FieldRequiredDefaultDescription
addressN"0.0.0.0"Listen address
portN4739Listen port
reuseNtrueEnable socket address reuse

Performance

FieldRequiredDefaultDescription
buffer_sizeN9000Network read buffer size in bytes

Key Features

The following are unique features that Director offers.

Multiple Workers

When reuse is enabled, the collector automatically scales to use multiple workers based on available CPU cores. Each worker maintains its own UDP listener, processes flows independently, and writes to a dedicated queue file.

Flows

The collector supports template management for NetFlow v9/IPFix, application identification, port-based protocol mapping, flow state tracking, and statistical aggregation.

Examples

The following are commonly used configuration types.

Basic

The minimum required configuration using defaults:

Create a simple IPFix collector...

devices:
  - id: 1
    name: basic_ipfix
    type: ipfix
    properties:
      port: 4739

High-Volume

Performance can be enhanced for high volumes:

Optimizing for high message volumes...

devices:
  - id: 2
    name: performant_ipfix
    type: ipfix
    properties:
      address: "0.0.0.0"
      port: 4739
      reuse: true
      buffer_size: 32768
note

When reuse is enabled, the collector automatically scales up to use all available CPU cores.

Multiple Flows

Multiple flow types can be collected through a single device:

Collecting multiple flow types...

devices:
  - id: 3
    name: multi_flow
    type: ipfix
    properties:
      address: "0.0.0.0"
      port: 4739
      reuse: true
      buffer_size: 16384
warning

Each flow type requires its own port. Ensure no port conflicts exist between different collectors.

Loading include...

Using application identification...

devices:
  - id: 4
    name: app_aware_ipfix
    type: ipfix
    properties:
      port: 4739
      reuse: true
      buffer_size: 16384