# Configure NetoFlow

*You can run NetoFlow with the default configuration, which should be sufficient for most deployments.*

## Modifying the configuration <a href="#modifying-the-configuration" id="modifying-the-configuration"></a>

NetoFlow uses a layered configuration that will read configuration from the `/etc/netoflow.conf` file, if it exists, and from environment variables next (environment variables take precedence).

Follow the steps in the install instructions for your chosen deployment method to edit and pass the configuration settings:

[Install NetoFlow (container)](/netoflow-connector/install-container.md) or [Install NetoFlow (Linux package)](/netoflow-connector/install-linux.md)

### Default configuration settings are in`/etc/netoflow.conf` <a href="#default-configuration-settings-are-inetcnetoflowconf" id="default-configuration-settings-are-inetcnetoflowconf"></a>

The default configuration settings are contained in `/etc/netoflow.conf.example`. This file is installed with the Linux software packages or can be downloaded for container deployments:

`curl -O https://neto-downloads.s3.amazonaws.com/netoflow/netoflow.conf.example`

## Configuration settings <a href="#configuration-settings" id="configuration-settings"></a>

| Section    | Key                 | Description                              | Default Value                       |
| ---------- | ------------------- | ---------------------------------------- | ----------------------------------- |
| general    | `udpbuffer`         | Size of the UDP buffer                   | 1048576                             |
| general    | `statsinterval`     | Interval in seconds to report stats      | 60                                  |
| general    | `flushinterval`     | Interval in seconds to flush data        | 5                                   |
| general    | `flushcount`        | Number of records to flush               | 2000                                |
| general    | `retries`           | Number of retries for failed operations  | 5                                   |
| general    | `retryinterval`     | Interval in seconds between retries      | 5                                   |
| general    | `dumprecords`       | Output to stdout instead of Netography   | false                               |
| general    | `templatedb`        | Path to the template database            | `/var/tmp/netoflow.db`              |
| general    | `downsample`        | Downsample rate for data                 | 10                                  |
| general    | `apihost`           | API host for data ingestion              | `https://api-ingest.netography.com` |
| general    | `devicecreationurl` | URL for device creation                  | `/api/v1/device`                    |
| general    | `audithost`         | Host for audit logs                      | `https://api.netography.com`        |
| general    | `auditurl`          | URL for audit logs                       | `/api/v1/audit`                     |
| flow       | `listen`            | Address and port to listen for flow data | `0.0.0.0:2055`                      |
| flow       | `workers`           | Number of worker threads                 | 4                                   |
| flow       | `queue`             | Size of the queue for incoming data      | 100000                              |
| syslog     | `level`             | Logging level                            | `info`                              |
| syslog     | `server`            | Syslog server address and port           | `localhost:514`                     |
| api        | `enabled`           | Enable or disable the API                | true                                |
| api        | `port`              | Port for the API                         | 8080                                |
| sflow      | `payload`           | Include payload in sFlow data            | false                               |
| tees       | `enabled`           | Enable or disable tees                   | false                               |
| tees       | `updateinterval`    | Interval in seconds to update tees       | 300                                 |
| tees       | `targets`           | List of target addresses for tees        |                                     |
| endpoint   | `netosecret`        | API key encoded as netosecret            |                                     |
| proxy      | `enabled`           | Enable or disable proxy                  | false                               |
| proxy      | `url`               | Proxy URL                                | \`                                  |
| filter     | `default`           | Default action for the filter            | allow                               |
| filter     | `logdeny`           | Log denied packets                       | false                               |
| flowfilter | `action`            | Action for the flow filter               |                                     |
| flowfilter | `dstnets`           | Destination networks for the flow filter |                                     |
| device     | `flowsrcip`         | Source IP address for flows              |                                     |
| device     | `downsample`        | Downsample rate for device data          |                                     |

### `[tees]` - Teeing flows <a href="#tees---teeing-flows" id="tees---teeing-flows"></a>

The NetoFlow Connector can tee flow packets to an array of targets. That is, it can deliver the packets to multiple destinations while preserving the source IP of the device that sent the flows to NetoFlow. This is useful if you want to send flow to an array of tools within the infrastructure. Teeing in NetoFlow accomplishes this while preserving this visibility to the other tools that are receiving flows. Refer to the `[tees]` section of the configuration example below for an example.

### `[general]` - Flow delivery performance tuning <a href="#general---flow-delivery-performance-tuning" id="general---flow-delivery-performance-tuning"></a>

In the general section of the configuration, there are several options to modify the behavior flow delivery to the cloud. By default, flows will be delivered to the cloud when either of 2 conditions is met:

* a 5-second flush interval timer
* 2,000 flow records.

One might wish to modify this behavior depending on how much traffic the NetoFlow Connector handles. Consult Netography Support for help tuning these values if needed.

### `[[flowfilter]]` - Flow Filters <a href="#flowfilter---flow-filters" id="flowfilter---flow-filters"></a>

You can define flow filters to exclude flow data from the traffic delivered to Fusion. Flow filters behave like firewall rules where you have a default behavior and then set an action in individual rules.

* Flow filters can contain a combination of the following array fields: `srcnets, dstnets, srcports, dstports, protocols, srcasns, dstasns`.
* The fields within a flow filter are processed as an **and**. If any array member matches within a field, that field is a match. All fields must match for a flow filter to match.
* Dropped records are logged at the debug level.
* You can have many flow filters as they are currently not capped. This is primarily CPU-bound, but the impact should be minimal.
* Refer to the `flowfilter` example in the configuration example below. Note the filter default setting, which defaults to "allow," as the normal case is to send Netography all flows.

{% hint style="info" %}
**📘A flow filter must contain an action and at least 1 set of criteria to match on.**
{% endhint %}

### `[general]/[device] downsample` Flow Sampling with NetoFlow <a href="#generaldevice-downsample--flow-sampling-with-netoflow" id="generaldevice-downsample--flow-sampling-with-netoflow"></a>

NetoFlow can perform client-side downsampling. If you have sampling being performed at your network devices and want to pass through the already sampled flow, this additional downsampling is not needed.

You can configure downsampling in 2 ways:

1. Apply a global downsample to any device NetoFlow sees flow from. This is set in the `[general]` section with the `downsample` key (or `NETO__GENERAL__DOWNSAMPLE` environment variable).
2. Apply a device-specific downsample by adding a `[device]` block to the configuration and specify the `flowsrcip` and the `downsample`to apply to it. See the example configuration below.

* Specific device downsample configurations will override the global downsample. The global downsample will only be used if there is no device-specific configuration.
* Valid downsample values are integers between 2 and 10,000.

\*\*Note: If you are downsampling on a device that doesn't send the sample rate (i.e. the sample rate appears to be 0), you must also configure the sample rate when adding that device in the Fusion Portal or you will receive incorrect metrics for that device. See [Ingest NetFlow/sFlow via the NetoFlow Connector](/ingest-network-traffic-logs/netflow-sflow/traffic-source-netoflow.md).

## Configuring NetoFlow to view flow rates before delivering flow to Fusion <a href="#configuring-netoflow-to-view-flow-rates-before-delivering-flow-to-fusion" id="configuring-netoflow-to-view-flow-rates-before-delivering-flow-to-fusion"></a>

It is possible to configure NetoFlow to acquire the flows per second sent by a device without delivering the flow records to Fusion. This is useful for understanding your internal flow volume. The easiest way to achieve this is to set a default filter of "deny" like such:

{% tabs %}
{% tab title="Shell" %}

```
[filter]
default = "deny"
logdeny = false
```

{% endtab %}
{% endtabs %}

Then, use the NetoFlow statistics API to read the flows per second. This will provide per-device statistics. See: [Reading statistics from NetoFlow API](/netoflow-connector/reading-statistics.md).

## Configuration example <a href="#configuration-example" id="configuration-example"></a>

```
[general]
udpbuffer         = 1048576  # size of the UDP buffer, default: 1048576
statsinterval     = 60       # interval in seconds to report stats, default: 60
flushinterval     = 5        # interval in seconds to flush data, default: 5
flushcount        = 2000     # number of records to flush, default: 2000
retries           = 5        # number of retries for failed operations, default: 5
retryinterval     = 5        # interval in seconds between retries, default: 5
dumprecords       = false    # output to stdout instead of netography, default: false
templatedb         = "/var/tmp/netoflow.db"  # path to the template database, default: "/var/tmp/netoflow.db"
#downsample        = 10      # downsample rate for data, default: 10
#apihost           = "https://api-ingest.netography.com"  # API host for data ingestion, default: "https://api-ingest.netography.com"
#devicecreationurl = "/api/v1/device"  # URL for device creation, default: "/api/v1/device"
#audithost         = "https://api.netography.com"  # host for audit logs, default: "https://api.netography.com"
#auditurl          = "/api/v1/audit"  # URL for audit logs, default: "/api/v1/audit"

[flow]
listen          = "0.0.0.0:2055"  # address and port to listen for flow data, default: "0.0.0.0:2055"
workers         = 4               # number of worker threads, default: 4
queue           = 100000          # size of the queue for incoming data, default: 100000

[syslog]
level           = "info"          # logging level, default: "info"
server          = "localhost:514" # syslog server address and port, default: "localhost:514"

[api]
enabled         = true  # enable or disable the API, default: true
port            = 8080  # port for the API, default: 8080

[sflow]
payload         = false  # include payload in sFlow data, default: false

#[tees]
#enabled         = false  # enable or disable tees, default: false
#updateinterval  = 300    # interval in seconds to update tees, default: 300
#targets         = [ "10.0.0.1:2055" ]  # list of target addresses for tees, default: [ "10.0.0.1:2055" ]

[endpoint]
netosecret       = ""  # API key encoded as netosecret

[proxy]
enabled         = false  # enable or disable proxy, default: false
url             = "http://10.0.0.1:3121"  # proxy URL

[filter]
default = "allow"  # default action for the filter, default: "allow"
logdeny = false    # log denied packets, default: false

#[[ flowfilter ]]
#action = "deny"  # action for the flow filter, default: "deny"
#dstnets = ["10.0.0.0/24"]  # destination networks for the flow filter

#[[device]]
#flowsrcip      = "192.168.2.254"  # source IP address for flows
#downsample     = 100              # downsample rate for device data
```

## Setting configuration in environment variables <a href="#setting-configuration-in-environment-variables" id="setting-configuration-in-environment-variables"></a>

Configuration can be set in the environment instead of the `/etc/netoflow.conf` file.

* If you are using the container, ensure you are following the instructions in [Install NetoFlow (container)](/netoflow-connector/install-container.md) to map the environment variables into the container correctly.

{% hint style="danger" %}
**❗️You can not set the teestargets, flowfilter, or device sections in environment variables today**

These settings involve a list or array (ie multiple values), which is not parsed from environment variables today. If you are modifying these configuration settings, you must modify the `netoflow.conf` file.
{% endhint %}

### Environment variable naming convention <a href="#environment-variable-naming-convention" id="environment-variable-naming-convention"></a>

Use this format for environment variables:\
`NETO__SECTION__KEY=value`

* `NETO` is the prefix for all configuration environment variables
* Replace `SECTION` with the configuration section name. This is the value in square brackets `[]` in the conf file above the setting.
* Replace `KEY` with the name of the configuration setting.

{% hint style="info" %}
**ℹ️The separator used is two underscores \_\_. If you use one underscore \_ it won't work.**
{% endhint %}

### Environment variables mapping <a href="#environment-variables-mapping" id="environment-variables-mapping"></a>

The correct environment variable names to set for each configuration item in the `netoflow.conf.example`file is shown below.

```
NETO__GENERAL__UDPBUFFER=1048576
NETO__GENERAL__STATSINTERVAL=60
NETO__GENERAL__FLUSHINTERVAL=5
NETO__GENERAL__FLUSHCOUNT=2000
NETO__GENERAL__RETRIES=5
NETO__GENERAL__RETRYINTERVAL=5
NETO__GENERAL__DUMPRECORDS=false
NETO__GENERAL__TEMPLATEDB="/var/tmp/netoflow.db"
NETO__GENERAL__DOWNSAMPLE=10
NETO__GENERAL__APIHOST="https://api-ingest.netography.com"
NETO__GENERAL__DEVICECREATIONURL="/api/v1/device"
NETO__GENERAL__AUDITHOST="https://api.netography.com"
NETO__GENERAL__AUDITURL="/api/v1/audit"
NETO__FLOW__LISTEN="0.0.0.0:2055"
NETO__FLOW__WORKERS=4
NETO__FLOW__QUEUE=100000
NETO__SYSLOG__LEVEL="info"
NETO__SYSLOG__SERVER="localhost:514"
NETO__API__ENABLED=true
NETO__API__PORT=8080
NETO__SFLOW__PAYLOAD=false
NETO__TEES__ENABLED=false
NETO__TEES__UPDATEINTERVAL=300
NETO__ENDPOINT__NETOSECRET=""
NETO__PROXY__ENABLED=false
NETO__PROXY__URL="http://10.0.0.1:3121"
NETO__FILTER__DEFAULT="allow"
NETO__FILTER__LOGDENY=false
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/netoflow-connector/configure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.