Getting Started

Configuring Exporters

obserae only sees the flows your network devices send it. This page shows how to turn on flow export on the gear you already have — routers, switches, firewalls, hypervisors and host probes — and point it at obserae.

obserae ingests NetFlow v5, NetFlow v9 and IPFIX over UDP:

ProtocolDefault UDP port
NetFlow v5 / v92055
IPFIX (a.k.a. v10)4739

Point each device at <obserae-host> on the port that matches the protocol it sends. When you have the choice, prefer NetFlow v9 or IPFIX over v5 — v5 is IPv4-only and carries fewer fields.

obserae needs NetFlow or IPFIX — not sFlow, and not cloud flow logs. A number of switches export only sFlow (a different, sampling-based protocol: many older HPE/Aruba ProVision switches, Dell OS9/OS10, and the default mode on some Extreme/Ruckus gear). obserae cannot ingest sFlow. If that is all your device speaks, either enable IPFIX instead when the model supports it, or run a converter (pmacct, sflowtool, sFlow-RT) to translate sFlow into NetFlow and forward that to obserae. Likewise, cloud VPC flow logs (AWS, Azure, GCP) are a proprietary JSON format delivered to cloud storage, not NetFlow — they need a separate conversion pipeline, not a UDP collector.


Routers & switches

Cisco IOS / IOS-XE

Flexible NetFlow — NetFlow v5/v9 and IPFIX. Official docs

flow exporter OBSERAE
 destination <obserae-host>
 transport udp 2055
 export-protocol netflow-v9        ! or: export-protocol ipfix  (transport udp 4739)

flow monitor OBSERAE-MON
 exporter OBSERAE
 record netflow ipv4 original-input

interface GigabitEthernet0/0/1
 ip flow monitor OBSERAE-MON input

Juniper (Junos MX/EX, SRX)

J-Flow / inline flow monitoring — NetFlow v5/v9 and IPFIX. Official docs

set forwarding-options sampling instance JF family inet input rate 1000
set forwarding-options sampling instance JF family inet output flow-server <obserae-host> port 2055 version9
set forwarding-options sampling instance JF family inet output inline-jflow source-address <router-ip>
set interfaces ge-0/0/0 unit 0 family inet sampling input

For IPFIX use version-ipfix and port 4739. One sampling instance per device; sampled flows (not 1:1) — tune the rate.

MikroTik RouterOS

Traffic Flow — NetFlow v1/v5/v9 and IPFIX. Official docs

/ip traffic-flow set enabled=yes
/ip traffic-flow target add dst-address=<obserae-host> port=2055 version=9

Use version=ipfix port=4739 for IPFIX. Traffic Flow only sees CPU-processed traffic, not hardware-bridged traffic.

More routers & switches

DeviceProtocolsOfficial docs
Cisco Nexus (NX-OS)NetFlow v9, IPFIXdocs — set transport udp 2055 (NX-OS default 9995 is a trap)
Cisco Meraki MX / MSNetFlow v9 / IPFIXdocs
Huawei (NetStream, S1720, S2700, S5700, and S6720 V200R011C10)NetFlow v5/v9, IPFIXdocs
Arista EOSIPFIXdocs
Nokia SR OS (Cflowd)NetFlow v5/v8/v9, IPFIXdocs
Extreme EXOS / VOSSNetFlow v9, IPFIX (also sFlow)docs
HPE Aruba (ArubaOS-CX)IPFIXdocs — ProVision/ArubaOS-Switch is sFlow-only
VyOSNetFlow v5/v9, IPFIXdocs
Ubiquiti EdgeRouter (EdgeOS)NetFlow v5/v9, IPFIXdocs
Ubiquiti UniFi GatewayNetFlow v5/v9, IPFIXdocs
Allied Telesis (AlliedWare Plus)IPFIXdocs
Ruckus / Brocade ICXNetFlow v9, IPFIX (FastIron 09.x)docs — sFlow on older firmware

Firewalls & UTM

FortiGate / FortiOS

NetFlow v9 (and v5). NetFlow is enabled per interface. Official docs

config system netflow
  set collector-ip <obserae-host>
  set collector-port 2055
end
config system interface
  edit "port1"
    set netflow-sampler both
  next
end

Palo Alto PAN-OS

NetFlow v9. Official docs

In the GUI: Device → Server Profiles → NetFlow, add a profile with server <obserae-host> and port 2055, then assign that profile to each ingress interface under Network → Interfaces.

pfSense

NetFlow v5/v9 and IPFIX. Official docs (pflow)

  • pfSense Plus 24.03+: Firewall → Packet Flow Data (pflow) → add an exporter, Collector <obserae-host>, Port 2055 (NetFlow) or 4739 (IPFIX).
  • Older / Community Edition: install the softflowd package (System → Package Manager), then Services → softflowd: Host <obserae-host>, Port 2055, version 9.

OPNsense

NetFlow v5/v9. Official docs

In the GUI: Reporting → NetFlow → select the interfaces to watch, set Version 9, and add the destination <obserae-host>:2055.

More firewalls & UTM

DeviceProtocolsOfficial docs
Cisco ASANetFlow v9 / NSELdocs
Juniper SRXNetFlow v5/v9, IPFIXdocs
Check Point (Gaia)NetFlow v5/v9, IPFIXdocs
SonicWall (SonicOS AppFlow)NetFlow v5/v9, IPFIXdocs
Sophos Firewall (SFOS)NetFlow v5docs
WatchGuard FireboxNetFlow v5/v9docs
Barracuda CloudGen FirewallNetFlow v5/v9, IPFIXdocs
F5 BIG-IP (AFM/AVR)NetFlow v9, IPFIXdocs — its sFlow is system monitoring only; use IPFIX/NetFlow for flow export

Host & software probes

Run a probe on a server or a SPAN/mirror port when the device itself can’t export flows.

softflowd

Reads a libpcap interface, exports NetFlow v1/v5/v9 or IPFIX. Official docs

softflowd -i eth0 -v 9  -n <obserae-host>:2055     # NetFlow v9
softflowd -i eth0 -v 10 -n <obserae-host>:4739     # IPFIX

pmacct (nfprobe plugin)

Capture daemon (pmacctd / uacctd) with the built-in nfprobe plugin. Official docs (CONFIG-KEYS)

# pmacctd.conf
pcap_interface: eth0
plugins: nfprobe
nfprobe_receiver: <obserae-host>:2055
nfprobe_version: 9          # 5, 9, or 10 (IPFIX → use :4739)
aggregate: src_host, dst_host, src_port, dst_port, proto

More host probes

ProbeProtocolsOfficial docs
fprobe / fprobe-ngNetFlow v1/v5/v7man page
nProbe (ntop)NetFlow v5/v9, IPFIXdocs
ipt-NETFLOW (Linux kernel module)NetFlow v5/v9, IPFIXdocs
YAF (CERT NetSA)IPFIXdocs
ulogd2 (Netfilter)IPFIXman page

Virtual & cloud switches

Open vSwitch (OVS)

NetFlow v5 and IPFIX (per bridge). Official docs (ovs-vsctl)

# NetFlow v5
ovs-vsctl -- set Bridge br0 netflow=@nf -- \
  --id=@nf create NetFlow targets='"<obserae-host>:2055"' active-timeout=60

# IPFIX
ovs-vsctl -- set Bridge br0 ipfix=@i -- \
  --id=@i create IPFIX targets='"<obserae-host>:4739"'

More virtual switches

PlatformProtocolsOfficial docs
VMware vSphere Distributed SwitchIPFIXdocs

Verifying it works

Once a device is exporting, watch the flows counter climb:

./obserae-cli --socket ./data/obserae.sock status

If after a couple of minutes the counter stays at 0:

  • Is the listener up? sudo ss -ulnp | grep -E '2055|4739'
  • Is anything arriving? sudo tcpdump -ni any udp port 2055 -c 5 (use 4739 for IPFIX).

NetFlow v9 / IPFIX template warm-up. These protocols send a template describing the record layout separately from the data, and only every so often (often every 20 packets or every 30 minutes, depending on the device). Until obserae receives that first template, the matching flows can’t be decoded — so a brand-new exporter can show traffic in tcpdump while the counter is still 0. Wait for the next template, or force a refresh on the device. NetFlow v5 has no templates and decodes immediately.

If tcpdump shows packets but the counter never moves even after the template window, check the daemon log — it prints decode errors at the default verbosity.


Next steps

  • Connectors — give each exporter a friendly name in the GUI.
  • Quickstart — your first cartography, rules and query.
  • Configuration — change the listener ports or disable a protocol.