Connectors
Connectors are the places where obserae talks to the rest of your network. Some bring traffic into the product, some add context to public IPs, and some send alerts out to your existing tools.
| Connector family | Page | Use it when you want to… |
|---|---|---|
| Flow exporters | Exporters | Name the routers, switches, firewalls and probes that already send NetFlow/IPFIX. |
| Device connectors | Devices | Pull identity data from a supported network device, such as ARP, DHCP leases and interface networks. |
| IP enrichment | Cloud Attribution, Threat Intelligence, GeoIP, ASN | Add cloud, threat, country and network-owner badges to public IPs. |
| Alert outputs | Outputs | Send fired alerts to chat, on-call, webhooks, syslog/SIEM or search platforms. |
This page explains what each family is for. For device-specific NetFlow/IPFIX commands, start with Configuring Exporters. For alert delivery, see Outputs.
Flow Exporters
An exporter is any device or probe that sends NetFlow or IPFIX packets to obserae: a router, switch, firewall, hypervisor, host probe, or traffic sensor. obserae discovers exporters automatically once at least one flow packet has arrived.
The Exporters page is not where you configure the router itself. It is where you make observed exporters readable inside obserae:
- Configure the device to send NetFlow/IPFIX to obserae.
- Wait for the flow counter to move, or click Rescan.
- Give the observed IP a friendly name such as
core-switch-01. - Add the model, owner or location in Equipment type and Details.
After that, pages such as Cockpit, Sessions, Cartography and Investigation show the friendly name instead of a raw exporter IP.
What the table shows
| Column | Meaning |
|---|---|
| IP | Address used by the exporter when it sends flow records. Read-only. |
| Name | Operator name shown across the UI. |
| Equipment type | Vendor, model or role, such as FortiGate edge or Cisco Catalyst 9300. |
| Details | Free notes: rack, site, owner, interface scope. |
| Flows | How many flow records obserae has received from this exporter. |
| Last seen | Most recent flow timestamp from this exporter. |
Deleting an exporter label only removes the label. If the same device is still sending flows, the next rescan creates the row again without your old name.
Device Connectors
Flow records tell obserae who talked to whom, but they do not always tell you which hostname or MAC address owned an IP at that moment. Device connectors add that missing identity context by polling supported network devices.
Today, the Devices page supports OPNsense. The page is intentionally structured as a connector area: more device families can be added without changing the way operators think about the feature.
OPNsense
The OPNsense connector pulls three kinds of data:
| Data | Why it helps |
|---|---|
| ARP table | Maps recently seen IPs to MAC addresses. Useful when discovering unknown hosts. |
| DHCP leases | Adds hostnames and lease information for dynamic clients. |
| Interfaces | Suggests networks from the firewall interfaces, so Cartography can be built faster. |
This context appears in Cartography, IP Discovery, DHCP drawers and NFQL queries
(FROM arp, FROM dhcp). It helps answer practical questions such as:
- “What device had this DHCP address when the alert fired?”
- “Which unknown IP should I add to Cartography?”
- “Which subnet does this firewall interface represent?”
Add an OPNsense device
Open Devices, click Add device, then provide:
| Field | What to enter |
|---|---|
| Name | A readable name, for example opnsense-edge. |
| Base URL | The firewall URL, for example https://192.0.2.1. |
| API key | OPNsense API key for the user you want obserae to use. |
| API secret | Matching secret. It is encrypted at rest and never shown again. |
| Root CA (PEM) | Recommended when the firewall uses an internal CA. |
| Skip TLS verify | Lab-only fallback for a self-signed endpoint when no CA is available. |
In OPNsense, create the API key from System -> Access -> Users, open the user, then generate a key under API keys.
obserae polls each configured device roughly every 10 minutes. You can also click Refresh on a row to poll it now. A failed poll is shown on that row and does not block the daemon or other devices.
Backup and restore
Device connector settings are included in the Config I/O bundle. Secrets are exported encrypted with this instance’s master key. Restoring the bundle on the same instance keeps the connector usable; restoring it on a fresh instance keeps the device definition but asks you to re-enter the API secret.
IP Enrichment Connectors
IP enrichment adds context to public IPs seen in flows and sessions. The pages under Connectors split the sources by purpose:
| Page | Adds | Typical use |
|---|---|---|
| Cloud Attribution | AWS, Azure, Google Cloud, Oracle Cloud and Cloudflare ranges. | Understand whether traffic is going to a cloud provider, service or region. |
| Threat Intelligence | FireHOL Level 1, Tor exits and Tor relays. | Highlight known-bad or anonymized peers during triage. |
| GeoIP | Country code for public IPs. | Spot unexpected countries quickly. |
| ASN | Network owner such as AS13335 CLOUDFLARENET. | Identify hosting providers, ISPs and networks not covered by curated cloud lists. |
On a fresh install, enrichment is enabled by default. Public lists are fetched from their publishers; obserae does not send your observed IPs or traffic to those sources. If the appliance must stay fully quiet on the network, turn off the global IP enrichment switch.
Each source also has its own toggle and Refresh action. Use the global switch when you want all enrichment off; use per-source toggles when you only want to disable one family, for example Tor relays or ASN.
For examples and NFQL queries, see IP Enrichment.
Alert Outputs
Outputs are listed in the Connectors area because they connect obserae to the tools your team already uses after an alert fires:
- webhooks and automation platforms;
- Gotify, Slack, Mattermost, Telegram and email;
- syslog, Splunk HEC, Elasticsearch/OpenSearch;
- PagerDuty and Opsgenie.
Use Outputs to choose where alerts go, test delivery, set routing by severity/rule/tag, and understand how secrets are stored.
Choosing The Right Page
| Goal | Go to |
|---|---|
| My router/firewall is not sending flows yet. | Configuring Exporters |
| Flows arrive, but the exporter name is unreadable. | Exporters |
| I want DHCP hostnames and MAC addresses in investigations. | Devices |
| I need cloud, threat, country or ASN badges. | Cloud Attribution, Threat Intelligence, GeoIP, ASN |
| I want alerts in another product. | Outputs |
| I want to query enrichment/device data. | NFQL |
See Also
- Configuring Exporters - vendor and probe setup examples.
- IP Enrichment - how badges and enrichment queries work.
- Outputs - alert delivery connectors.
- Cartography - using discovered IPs and device context.