Re: IPFIX (Netflow v10) logging mechanism

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 13 Jun 2010 22:34:13 +1200

Mike K. wrote:
> Hello Amos,
> The Purpose of implementing IPFIX in Squid would be a logging
> mechanism similar to using syslog to collect log data on remote
> machines.
> I think that the way you are seeing IPFIX is presented in a way that
> looks like it is limited to Layer4 data. The reason for this is that
> IPFIX has evolved from Cisco's NetFlow which was limited to layer 4
> data.
> IPFIX is a protocol that allows any type of data to be packaged and
> sent to a collector. A template is sent along side the packaged data
> that tells the collector what to do with it.
>
> For instance, a very basic data export template out of squid would
> look something like this:
> +-----------------+-----------+----------------+------------------------------+
> |source addr | bytes | code + HTTP URL |
> +-----------------+-----------+-----------------+-----------------------------+
>
>
> Each IPFIX packet can contain about 25 "flow" records as opposed to
> Syslog's limit of 1 per packet.
>
> The template system has big advantage over syslog because any IPFIX
> compliant collector should be able to collect, properly parse and
> store this data immediately for reporting purposes. This completely
> eliminates the need to parse a logfile to generate reports.
>
>
> There are several vendors that are implementing IPFIX to export.
> -One such product is nProbe http://www.ntop.org/nProbe.html . As you
> can see, this product generates records and export things like VOIP,
> SMTP, latency, jitter and (soon) HTTP information.
> -A major firewall vendor we are working with will also be implementing
> the export of this higher level data via IPFIX.
>
> Anything that can be logged by squid can be exported as IPFIX data and
> in turn be available for reporting in near realtime. This seems to be
> a real advantage over how reporting needs to occur now.
>
>
> I hope I have explained this properly. Please let me know if you have
> any questions about IPFIX.
>
> Warm regards,
> Mike Krygeris

Ah okay, that makes more sense than the search results.

Yes it looks like a potentially useful extra loging module if someone
wants to code it.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.4
Received on Sun Jun 13 2010 - 10:34:24 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 14 2010 - 12:00:07 MDT