Daily Use

Connectors

Connectors are the places where obserae talks to the rest of your network. Some bring traffic into the product, some add context to public IPs, and some send alerts out to your existing tools.

Connector familyPageUse it when you want to…
Flow exportersExportersName the routers, switches, firewalls and probes that already send NetFlow/IPFIX.
Device connectorsDevicesPull identity data from a supported network device, such as ARP, DHCP leases and interface networks.
IP enrichmentCloud Attribution, Threat Intelligence, GeoIP, ASNAdd cloud, threat, country and network-owner badges to public IPs.
Alert outputsOutputsSend fired alerts to chat, on-call, webhooks, syslog/SIEM or search platforms.

This page explains what each family is for. For device-specific NetFlow/IPFIX commands, start with Configuring Exporters. For alert delivery, see Outputs.


Flow Exporters

An exporter is any device or probe that sends NetFlow or IPFIX packets to obserae: a router, switch, firewall, hypervisor, host probe, or traffic sensor. obserae discovers exporters automatically once at least one flow packet has arrived.

The Exporters page is not where you configure the router itself. It is where you make observed exporters readable inside obserae:

  1. Configure the device to send NetFlow/IPFIX to obserae.
  2. Wait for the flow counter to move, or click Rescan.
  3. Give the observed IP a friendly name such as core-switch-01.
  4. Add the model, owner or location in Equipment type and Details.

After that, pages such as Cockpit, Sessions, Cartography and Investigation show the friendly name instead of a raw exporter IP.

What the table shows

ColumnMeaning
IPAddress used by the exporter when it sends flow records. Read-only.
NameOperator name shown across the UI.
Equipment typeVendor, model or role, such as FortiGate edge or Cisco Catalyst 9300.
DetailsFree notes: rack, site, owner, interface scope.
FlowsHow many flow records obserae has received from this exporter.
Last seenMost recent flow timestamp from this exporter.

Deleting an exporter label only removes the label. If the same device is still sending flows, the next rescan creates the row again without your old name.


Device Connectors

Flow records tell obserae who talked to whom, but they do not always tell you which hostname or MAC address owned an IP at that moment. Device connectors add that missing identity context by polling supported network devices.

Today, the Devices page supports OPNsense. The page is intentionally structured as a connector area: more device families can be added without changing the way operators think about the feature.

OPNsense

The OPNsense connector pulls three kinds of data:

DataWhy it helps
ARP tableMaps recently seen IPs to MAC addresses. Useful when discovering unknown hosts.
DHCP leasesAdds hostnames and lease information for dynamic clients.
InterfacesSuggests networks from the firewall interfaces, so Cartography can be built faster.

This context appears in Cartography, IP Discovery, DHCP drawers and NFQL queries (FROM arp, FROM dhcp). It helps answer practical questions such as:

  • “What device had this DHCP address when the alert fired?”
  • “Which unknown IP should I add to Cartography?”
  • “Which subnet does this firewall interface represent?”

Add an OPNsense device

Open Devices, click Add device, then provide:

FieldWhat to enter
NameA readable name, for example opnsense-edge.
Base URLThe firewall URL, for example https://192.0.2.1.
API keyOPNsense API key for the user you want obserae to use.
API secretMatching secret. It is encrypted at rest and never shown again.
Root CA (PEM)Recommended when the firewall uses an internal CA.
Skip TLS verifyLab-only fallback for a self-signed endpoint when no CA is available.

In OPNsense, create the API key from System -> Access -> Users, open the user, then generate a key under API keys.

obserae polls each configured device roughly every 10 minutes. You can also click Refresh on a row to poll it now. A failed poll is shown on that row and does not block the daemon or other devices.

Backup and restore

Device connector settings are included in the Config I/O bundle. Secrets are exported encrypted with this instance’s master key. Restoring the bundle on the same instance keeps the connector usable; restoring it on a fresh instance keeps the device definition but asks you to re-enter the API secret.


IP Enrichment Connectors

IP enrichment adds context to public IPs seen in flows and sessions. The pages under Connectors split the sources by purpose:

PageAddsTypical use
Cloud AttributionAWS, Azure, Google Cloud, Oracle Cloud and Cloudflare ranges.Understand whether traffic is going to a cloud provider, service or region.
Threat IntelligenceFireHOL Level 1, Tor exits and Tor relays.Highlight known-bad or anonymized peers during triage.
GeoIPCountry code for public IPs.Spot unexpected countries quickly.
ASNNetwork owner such as AS13335 CLOUDFLARENET.Identify hosting providers, ISPs and networks not covered by curated cloud lists.

On a fresh install, enrichment is enabled by default. Public lists are fetched from their publishers; obserae does not send your observed IPs or traffic to those sources. If the appliance must stay fully quiet on the network, turn off the global IP enrichment switch.

Each source also has its own toggle and Refresh action. Use the global switch when you want all enrichment off; use per-source toggles when you only want to disable one family, for example Tor relays or ASN.

For examples and NFQL queries, see IP Enrichment.


Alert Outputs

Outputs are listed in the Connectors area because they connect obserae to the tools your team already uses after an alert fires:

  • webhooks and automation platforms;
  • Gotify, Slack, Mattermost, Telegram and email;
  • syslog, Splunk HEC, Elasticsearch/OpenSearch;
  • PagerDuty and Opsgenie.

Use Outputs to choose where alerts go, test delivery, set routing by severity/rule/tag, and understand how secrets are stored.


Choosing The Right Page

GoalGo to
My router/firewall is not sending flows yet.Configuring Exporters
Flows arrive, but the exporter name is unreadable.Exporters
I want DHCP hostnames and MAC addresses in investigations.Devices
I need cloud, threat, country or ASN badges.Cloud Attribution, Threat Intelligence, GeoIP, ASN
I want alerts in another product.Outputs
I want to query enrichment/device data.NFQL

See Also