Skip to main content

Administration Guide for 25.3

Export Traffic Flow Summaries

Decide where to export the traffic flow summaries: Syslog or Fluentd.

Caution

By default, the PCE generates all traffic flow summaries and sends them to Syslog.

If you have not configured Syslog, the Syslog data is written to a local disk by default. For example, it is written to /var/log/messages.

Export to Syslog

To configure and export the traffic flow summaries to a remote syslog, follow these steps:

  1. From the PCE web console menu, choose Settings > Events Settings.

  2. Enable a remote Syslog destination.

  3. Select specific traffic flow summaries to be sent to the remote syslog.

    This filters the selected traffic flow summaries and sends those to the remote syslog.

To prevent the Syslog data from being written to a local disk based on your preference, deselect the Events checkboxes on the Settings > Event Settings > Local page in the PCE web console.

Note

The generation of all traffic flow summaries is implemented to ensure that they can be controlled only from the PCE web console.

This example shows the runtime_env.yml configuration to generate all types of flow summaries.

Export to Syslog

export_flow_summaries_to_syslog:
- accepted
- potentially_blocked
- blocked

This example shows the runtime_env.yml configuration if you do not want to generate any types of flow summaries.

Export to Syslog

export_flow_summaries_to_syslog:
- none

Note

Illumio does not currently support having a primary and secondary syslog configuration with disaster recovery and failover.

You can configure it on a system syslog (local) and use the internal syslog configuration to send messages to the local, which sends to the system syslog.

Export to Fluentd

To generate and export the traffic flow summaries to Fluentd, follow these steps:

  1. Set the export_flow_summaries_to_fluentd parameter in runtime_env.yml.

  2. Set the external_fluentd_aggregator_servers parameter in runtime_env.yml.

This example shows the runtime_env.yml configuration to generate two flow summaries out of the three possible types.

Export to Fluentd

external_fluentd_aggregator_servers:
- fluentd-server.domain.com:24224
export_flow_summaries_to_fluentd:
- accepted
- blocked
Flow Duration Attributes

VENs send two attributes to the Syslog and fluentd output. These attributes describe the flow duration and are appended to the flow data.

  • Delta flow duration in milliseconds(ddms): The duration of the aggregate within the current sampling interval. This field lets you calculate the bandwidth between two applications in a given sampling interval. The formula is dbo (delta bytes out) / delta_duration_ms or dbi / delta_duration_ms.

  • Total flow duration in milliseconds(tdms): The duration of the aggregate across all sampling intervals. This field enables you to calculate the average bandwidth of a connection between two applications. The formula is tbo (total bytes out) / total_duration_ms, or tbo / total_duration_ms. It also enables you to calculate the average volume of data in a connection between two applications. The formula is tbo (total bytes out) / count (number of flows in an aggregate) or tbi / count.