Skip to main content

Illumio Core 23.2 Administration Guide

Export Traffic Flow Summaries

Decide where to export the traffic flow summaries: syslog or Fluentd.

Caution

By default, from the 19.3.0 release on, the PCE generates all traffic flow summaries and sends them to syslog.

If you have not configured syslog, the syslog data by default is written to a local disk. For example, it is written to /var/log/messages.

Export to Syslog

To configure and export the traffic flow summaries to a remote syslog, follow these steps:

  1. From the PCE web console menu, choose Settings > Event Settings.

  2. Enable a remote syslog destination.

  3. Select specific traffic flow summaries to be sent to remote syslog.

    This filters the selected traffic flow summaries and send those to the remote syslog.

To prevent the syslog data from being written to a local disk based on your preference, deselect the Events checkboxes on the Settings > Event Settings > Local page in the PCE web console. For more information, see Events Settings.

Note

The generation of all traffic flow summaries is implemented to ensure that all of the traffic flow summaries are controlled from the PCE web console only.

This example shows the runtime_env.yml configuration to generate all types of flow summaries.

Export to Syslog

export_flow_summaries_to_syslog:
- accepted
- potentially_blocked
- blocked

This example shows the runtime_env.yml configuration if you do not want to generate any types of flow summaries.

Export to Syslog

export_flow_summaries_to_syslog:
- none

Note

Illumio does not currently support having a primary and secondary syslog configuration, with disaster recovery and failover.

You can configure it on a system syslog (local) and use the internal syslog configuration to send messages to local, which sends to system syslog.

Export to Fluentd

To generate and export the traffic flow summaries to Fluentd, follow these steps:

  1. Set the export_flow_summaries_to_fluentd parameter in runtime_env.yml.

  2. Set the external_fluentd_aggregator_servers parameter in runtime_env.yml.

This example shows the runtime_env.yml configuration to generate two types of flow summaries, out of the three possible types.

Export to Fluentd

external_fluentd_aggregator_servers:
- fluentd-server.domain.com:24224
export_flow_summaries_to_fluentd:
- accepted
- blocked
Flow Duration Attributes

The 20.2.0 VEN sends two new attributes to the syslog and fluentd output. The new attributes describe the flow duration and are appended to the flow data.

  • Delta flow duration in milliseconds (ddms): The duration of the aggregate within the current sampling interval. This field enables you to calculate the bandwidth between two applications in a given sampling interval. The formula is dbo (delta bytes out) / delta_duration_ms, or dbi / delta_duration_ms.

  • Total flow duration in milliseconds (tdms): The duration of the aggregate across all sampling intervals. This field enables you to calculate the average bandwidth of a connection between two applications. The formula is tbo (total bytes out) / total_duration_ms, or tbo / total_duration_ms. It also enables you to calculate the average volume of data in a connection between two applications. The formula is tbo (total bytes out) / count (number of flows in an aggregate), or tbi / count.