We set up a clikchouse server + ipfixcol2 so we can store and query netflow data as it comes in.
For our previous setup we used nfdump/nfsen (https://github.com/phaag/nfdump) and then nfdump2clickhouse (https://codeberg.org/poorting/nfdump2clickhouse/) to insert data into clickhouse. Due to the nature of this setup we only ingest data in 5 minute chunks.
We'd like to stream data to clickhouse realtime and were looking at using ipfixcol2. We managed to setup/install everything but ran into the fact that we're missing two fields that are important to us that are not in the netflow data itself. The specific fields are ra the router adress(IPv4/IPv6 in CH) the flow originates from and flowsrc (low cardinality string in CH) containing the 'category' of the ingested flow based on the configured name of the input plugin. In the old setup these fields are added by nfdump and the nfdump2clickhouse respectively. We'd really love to have an intermediate plugin (or an option in the clickhouse output plugin) to enrich our data with these fields so we can filter for flows from specific routers or subsets thereof.
This information could maybe be extracted from the source of the UDP connection and the configured name of the input plugin.
Is this something you'd consider adding?
We set up a clikchouse server + ipfixcol2 so we can store and query netflow data as it comes in.
For our previous setup we used nfdump/nfsen (https://github.com/phaag/nfdump) and then nfdump2clickhouse (https://codeberg.org/poorting/nfdump2clickhouse/) to insert data into clickhouse. Due to the nature of this setup we only ingest data in 5 minute chunks.
We'd like to stream data to clickhouse realtime and were looking at using ipfixcol2. We managed to setup/install everything but ran into the fact that we're missing two fields that are important to us that are not in the netflow data itself. The specific fields are
rathe router adress(IPv4/IPv6 in CH) the flow originates from andflowsrc(low cardinality string in CH) containing the 'category' of the ingested flow based on the configured name of the input plugin. In the old setup these fields are added by nfdump and the nfdump2clickhouse respectively. We'd really love to have an intermediate plugin (or an option in the clickhouse output plugin) to enrich our data with these fields so we can filter for flows from specific routers or subsets thereof.This information could maybe be extracted from the source of the UDP connection and the configured name of the input plugin.
Is this something you'd consider adding?