ElastiFlow v2.1.0

1. Added support for flow proxies, such as nProbe, which populate the exporterIPv4Address or exporterIPv6Address fields with the IP of the device from which the flow originated. This applies to both Netflow v9 and IPFIX flow types.

2. Added the option to remove fields from the original flow records to save storage space. This is done by setting the environment variable ELASTIFLOW_KEEP_ORIG_DATA to false (default is true). The result of setting this to false is that the netflow, ipfix and sflow objects will be removed prior to sending the data to Elasticsearch. This has no adverse affect on the provided dashboards, as they they are populated from the normalized flow object. However the original flow fields will no longer be available if they are desired for additional analytics.

3. Updated MaxMind GeoLite2 DBs to those released 6 Feb 2018.

ElastiFlow v2.0.0

ElastiFlow™ 2.0.0 is a major release which adds support for IPFIX and sFlow, in addition to Netflow v5 and v9.

It includes the following features:

1. Support added for IPFIX (#34)

2. Support added for sFlow (#26)

3. Index name changed from netflow to elastiflow.

4. All flow types are normalized under the flow object (previously Netflow v5 and v9 were normalized to a netflow object), but all original data is retained.

5. Reworked Top-N dashboards. Now includes Top Talkers, Top Services and Top Conversations (replace old Conversations dashboard).

6. Reworked Geo Location dashboards. Now includes client/server and source/destination perspectives.

7. Autonomous System dashboard updated to simplify analysis of traffic to/from Autonomous Systems.

8. Changed most timelion graphs to display bit/s instead of bytes/s (requested by a number of users)

9. Index Pattern now imported via Kibana API. (see README.md)

10. Change netflow.conn_id to a long (#33)

11. License updated.

ElastiFlow v1.2.0

1. This release has been tested with Elastic Stack versions 5.4.3, 5.5.3, 5.6.5 and 6.0.1. It will also work with 6.1.0 and 6.1.1, however due to issues with Kibana visualization scaling (see elastic/kibana#15594) I cannot yet recommend users making a move 6.1.x.

2. Modified index templates to support Elasticsearch 6.0. (#20)

3. Improved support for bi-directional flows to better handle flows from devices such as Cisco ASA. (#29)

4. Changed application_id to a keyword to better handle flows from devices such as Fortinet devices. (#14)

5. Improved presentation of units for traffic volume (e.g. 100KB/s instead of 100000) in Timelion charts. (#24)

ElastiFlow v1.1.2

1. Fixed the if statement that controls conditions when geoip_dst.autonomous_system is set. Thanks to @vpiserchia for contributing the PR.

2. Modified the index template to use "codec": "best_compression" to reduce storage capacity requirements.

ElastiFlow v1.1.1

Fixed destination port normalization in case of UDP. Thanks to @vpiserchia for contributing the PR.

ElastiFlow v1.1.0

1. Released under Apache License, Version 2.0.

2. Enhanced with basic determination of client, server and service from the source and destination addresses and ports.

3. Dashboards updated to use client/server instead of source/destination.

4. Conversation Partners dashboard replaced by the Conversations dashboard.

5. Updated GeoLite City and ASN databases.

6. Corrected a problem where geoip.autonomous_system was not always set.

ElastiFlow v1.0.0

Developed and tested with Elastic Stack 5.5.0 and 5.5.1.