Overview

When enabled, the agent:

  • Listens on UDP ports for incoming NetFlow streams
  • Parses flow records using version-appropriate templates
  • Enriches flows with reverse DNS information
  • Aggregates and batches flows before sending them to the backend
  • Applies namespace tags to support multi-environment or multi-datacenter separation

The agent supports configuring multiple listeners, allowing you to receive different NetFlow versions and traffic on different ports simultaneously.

Requirements

Component Requirement
Agent atatus-infra-agent
Version 4.2.0 or higher
Supported Formats netflow5, netflow9, ipfix, sflow5
Transport UDP

Configuration File

NetFlow configuration belongs under: /etc/atatus-infra-agent/conf.d/netflow.d/netflow.yml

Full Configuration Structure

Below is the full NetFlow configuration written in your YAML style:

copy
icon/buttons/copy 
metrics:
  - enabled: true
    tags:
      - env:prod
      - team:network

    # NetFlow Configuration
    netflow:
      # Graceful shutdown timeout (seconds)
      stop_timeout: 10

      # Listeners
      listeners:

        # ---- NetFlow v5 ----
        - flow_type: netflow5 # choices: netflow5, netflow9, ipfix, sflow5
          bind_host: 0.0.0.0
          port: 2055
          workers: 4
          namespace: chennai-office

          # Optional field mapping overrides
          mapping:
            - field: 8
              destination: source.ip
              type: ipv4
            - field: 12
              destination: destination.ip
              type: ipv4
            - field: 7
              destination: source.port
              type: uint16
            - field: 11
              destination: destination.port
              type: uint16
            - field: 1
              destination: bytes
              type: uint32

        # ---- NetFlow v9 / IPFIX ----
        - flow_type: netflow9
          bind_host: 0.0.0.0
          port: 4739
          workers: 8
          namespace: chennai-office

      # Aggregator
      aggregator_buffer_size: 20000
      aggregator_flush_interval: 5
      aggregator_flow_context_ttl: 300
      aggregator_max_flows_per_flush_interval: 50000

      aggregator_port_rollup_threshold: 1000
      aggregator_port_rollup_disabled: false
      aggregator_rollup_tracker_refresh_interval: 3600

      # Reverse DNS
      reverse_dns_enrichment_enabled: true
      rdns_workers: 4
      rdns_chan_size: 1000

      rdns_cache:
        enabled: true
        entry_ttl: 86400
        clean_interval: 300
        persist_interval: 600
        max_retries: 3
        max_size: 50000

      rdns_rate_limiter:
        enabled: true
        limit_per_sec: 50
        limit_throttled_per_sec: 10
        throttle_error_threshold: 5
        recovery_intervals: 3
        recovery_interval: 60

Restart the Agent

copy
icon/buttons/copy 
sudo systemctl restart atatus-infra-agent