Configuring Exporters
obserae only sees the flows your network devices send it. This page shows how to turn on flow export on the gear you already have — routers, switches, firewalls, hypervisors and host probes — and point it at obserae.
obserae ingests NetFlow v5, NetFlow v9 and IPFIX over UDP:
| Protocol | Default UDP port |
|---|---|
| NetFlow v5 / v9 | 2055 |
| IPFIX (a.k.a. v10) | 4739 |
Point each device at <obserae-host> on the port that matches the protocol it
sends. When you have the choice, prefer NetFlow v9 or IPFIX over v5 — v5 is
IPv4-only and carries fewer fields.
obserae needs NetFlow or IPFIX — not sFlow, and not cloud flow logs. A number of switches export only sFlow (a different, sampling-based protocol: many older HPE/Aruba ProVision switches, Dell OS9/OS10, and the default mode on some Extreme/Ruckus gear). obserae cannot ingest sFlow. If that is all your device speaks, either enable IPFIX instead when the model supports it, or run a converter (
pmacct,sflowtool, sFlow-RT) to translate sFlow into NetFlow and forward that to obserae. Likewise, cloud VPC flow logs (AWS, Azure, GCP) are a proprietary JSON format delivered to cloud storage, not NetFlow — they need a separate conversion pipeline, not a UDP collector.
Routers & switches
Cisco IOS / IOS-XE
Flexible NetFlow — NetFlow v5/v9 and IPFIX. Official docs
flow exporter OBSERAE
destination <obserae-host>
transport udp 2055
export-protocol netflow-v9 ! or: export-protocol ipfix (transport udp 4739)
flow monitor OBSERAE-MON
exporter OBSERAE
record netflow ipv4 original-input
interface GigabitEthernet0/0/1
ip flow monitor OBSERAE-MON input
Juniper (Junos MX/EX, SRX)
J-Flow / inline flow monitoring — NetFlow v5/v9 and IPFIX. Official docs
set forwarding-options sampling instance JF family inet input rate 1000
set forwarding-options sampling instance JF family inet output flow-server <obserae-host> port 2055 version9
set forwarding-options sampling instance JF family inet output inline-jflow source-address <router-ip>
set interfaces ge-0/0/0 unit 0 family inet sampling input
For IPFIX use version-ipfix and port 4739. One sampling instance per device;
sampled flows (not 1:1) — tune the rate.
MikroTik RouterOS
Traffic Flow — NetFlow v1/v5/v9 and IPFIX. Official docs
/ip traffic-flow set enabled=yes
/ip traffic-flow target add dst-address=<obserae-host> port=2055 version=9
Use version=ipfix port=4739 for IPFIX. Traffic Flow only sees CPU-processed
traffic, not hardware-bridged traffic.
More routers & switches
| Device | Protocols | Official docs |
|---|---|---|
| Cisco Nexus (NX-OS) | NetFlow v9, IPFIX | docs — set transport udp 2055 (NX-OS default 9995 is a trap) |
| Cisco Meraki MX / MS | NetFlow v9 / IPFIX | docs |
| Huawei (NetStream, S1720, S2700, S5700, and S6720 V200R011C10) | NetFlow v5/v9, IPFIX | docs |
| Arista EOS | IPFIX | docs |
| Nokia SR OS (Cflowd) | NetFlow v5/v8/v9, IPFIX | docs |
| Extreme EXOS / VOSS | NetFlow v9, IPFIX (also sFlow) | docs |
| HPE Aruba (ArubaOS-CX) | IPFIX | docs — ProVision/ArubaOS-Switch is sFlow-only |
| VyOS | NetFlow v5/v9, IPFIX | docs |
| Ubiquiti EdgeRouter (EdgeOS) | NetFlow v5/v9, IPFIX | docs |
| Ubiquiti UniFi Gateway | NetFlow v5/v9, IPFIX | docs |
| Allied Telesis (AlliedWare Plus) | IPFIX | docs |
| Ruckus / Brocade ICX | NetFlow v9, IPFIX (FastIron 09.x) | docs — sFlow on older firmware |
Firewalls & UTM
FortiGate / FortiOS
NetFlow v9 (and v5). NetFlow is enabled per interface. Official docs
config system netflow
set collector-ip <obserae-host>
set collector-port 2055
end
config system interface
edit "port1"
set netflow-sampler both
next
end
Palo Alto PAN-OS
NetFlow v9. Official docs
In the GUI: Device → Server Profiles → NetFlow, add a profile with server
<obserae-host> and port 2055, then assign that profile to each ingress
interface under Network → Interfaces.
pfSense
NetFlow v5/v9 and IPFIX. Official docs (pflow)
- pfSense Plus 24.03+: Firewall → Packet Flow Data (pflow) → add an
exporter, Collector
<obserae-host>, Port2055(NetFlow) or4739(IPFIX). - Older / Community Edition: install the
softflowdpackage (System → Package Manager), then Services → softflowd: Host<obserae-host>, Port2055, version9.
OPNsense
NetFlow v5/v9. Official docs
In the GUI: Reporting → NetFlow → select the interfaces to watch, set
Version 9, and add the destination <obserae-host>:2055.
More firewalls & UTM
| Device | Protocols | Official docs |
|---|---|---|
| Cisco ASA | NetFlow v9 / NSEL | docs |
| Juniper SRX | NetFlow v5/v9, IPFIX | docs |
| Check Point (Gaia) | NetFlow v5/v9, IPFIX | docs |
| SonicWall (SonicOS AppFlow) | NetFlow v5/v9, IPFIX | docs |
| Sophos Firewall (SFOS) | NetFlow v5 | docs |
| WatchGuard Firebox | NetFlow v5/v9 | docs |
| Barracuda CloudGen Firewall | NetFlow v5/v9, IPFIX | docs |
| F5 BIG-IP (AFM/AVR) | NetFlow v9, IPFIX | docs — its sFlow is system monitoring only; use IPFIX/NetFlow for flow export |
Host & software probes
Run a probe on a server or a SPAN/mirror port when the device itself can’t export flows.
softflowd
Reads a libpcap interface, exports NetFlow v1/v5/v9 or IPFIX. Official docs
softflowd -i eth0 -v 9 -n <obserae-host>:2055 # NetFlow v9
softflowd -i eth0 -v 10 -n <obserae-host>:4739 # IPFIX
pmacct (nfprobe plugin)
Capture daemon (pmacctd / uacctd) with the built-in nfprobe plugin.
Official docs (CONFIG-KEYS)
# pmacctd.conf
pcap_interface: eth0
plugins: nfprobe
nfprobe_receiver: <obserae-host>:2055
nfprobe_version: 9 # 5, 9, or 10 (IPFIX → use :4739)
aggregate: src_host, dst_host, src_port, dst_port, proto
More host probes
| Probe | Protocols | Official docs |
|---|---|---|
| fprobe / fprobe-ng | NetFlow v1/v5/v7 | man page |
| nProbe (ntop) | NetFlow v5/v9, IPFIX | docs |
| ipt-NETFLOW (Linux kernel module) | NetFlow v5/v9, IPFIX | docs |
| YAF (CERT NetSA) | IPFIX | docs |
| ulogd2 (Netfilter) | IPFIX | man page |
Virtual & cloud switches
Open vSwitch (OVS)
NetFlow v5 and IPFIX (per bridge). Official docs (ovs-vsctl)
# NetFlow v5
ovs-vsctl -- set Bridge br0 netflow=@nf -- \
--id=@nf create NetFlow targets='"<obserae-host>:2055"' active-timeout=60
# IPFIX
ovs-vsctl -- set Bridge br0 ipfix=@i -- \
--id=@i create IPFIX targets='"<obserae-host>:4739"'
More virtual switches
| Platform | Protocols | Official docs |
|---|---|---|
| VMware vSphere Distributed Switch | IPFIX | docs |
Verifying it works
Once a device is exporting, watch the flows counter climb:
./obserae-cli --socket ./data/obserae.sock status
If after a couple of minutes the counter stays at 0:
- Is the listener up?
sudo ss -ulnp | grep -E '2055|4739' - Is anything arriving?
sudo tcpdump -ni any udp port 2055 -c 5(use4739for IPFIX).
NetFlow v9 / IPFIX template warm-up. These protocols send a template describing the record layout separately from the data, and only every so often (often every 20 packets or every 30 minutes, depending on the device). Until obserae receives that first template, the matching flows can’t be decoded — so a brand-new exporter can show traffic in
tcpdumpwhile the counter is still0. Wait for the next template, or force a refresh on the device. NetFlow v5 has no templates and decodes immediately.
If tcpdump shows packets but the counter never moves even after the template
window, check the daemon log — it prints decode errors at the default verbosity.
Next steps
- Connectors — give each exporter a friendly name in the GUI.
- Quickstart — your first cartography, rules and query.
- Configuration — change the listener ports or disable a protocol.