fluent-plugin-netflow 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c83a5f4fb673a2350abaab3f8d33ca43229399e5
+  data.tar.gz: 8a24c6097b65b0a7eac8391cc9a54444c4a49a17
+SHA512:
+  metadata.gz: ce6510d36beed459299342e64ae6336b004d9c924886336edf57c214ff29405dc96d9764976147d383d192e70bfed7b935e6156f3491678c95fe306628f3fe2b
+  data.tar.gz: ce0a4789512e66527d777ae8b6b37958b6d94221874ee91651f8764019095efd308f5c70b44e5f9d980a9cc6c0d643a1e7107eea43997a632765d87978a02e66

data/.travis.yml

@@ -0,0 +1,19 @@
+language: ruby
+
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1
+  - ruby-head
+  - rbx
+
+branches:
+  only:
+    - master
+
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+    - rvm: rbx
+
+script: bundle exec rake test

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/README.md

@@ -0,0 +1,28 @@
+# Netflow plugin for Fluentd
+
+Accept Netflow logs.
+
+## Installation
+
+Use RubyGems:
+
+    gem install fluent-plugin-netflow
+
+## Configuration
+
+    <source>
+      type netflow
+      tag netflow.event
+
+      # optional parameters
+      bind 127.0.0.1
+      port 5140
+
+      # optional parser parameters
+      cache_ttl 6000
+      versions [5, 9]
+    </match>
+
+## TODO
+
+* Release as rubygem

data/Rakefile

@@ -0,0 +1,14 @@
+
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.test_files = FileList['test/*.rb']
+  test.verbose = true
+end
+
+task :default => [:build]
+

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/fluent-plugin-netflow.gemspec

@@ -0,0 +1,23 @@
+# encoding: utf-8
+$:.push File.expand_path('../lib', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.name        = "fluent-plugin-netflow"
+  gem.description = "Netflow plugin for Fluentd"
+  gem.homepage    = "https://github.com/repeatedly/fluent-plugin-netflow"
+  gem.summary     = gem.description
+  gem.version     = File.read("VERSION").strip
+  gem.authors     = ["Masahiro Nakagawa"]
+  gem.email       = "repeatedly@gmail.com"
+  gem.has_rdoc    = false
+  #gem.platform    = Gem::Platform::RUBY
+  gem.license     = 'Apache License (2.0)'
+  gem.files       = `git ls-files`.split("\n")
+  gem.test_files  = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.require_paths = ['lib']
+
+  gem.add_dependency "fluentd", "~> 0.10.17"
+  gem.add_dependency "bindata", "~> 2.1"
+  gem.add_development_dependency "rake", ">= 0.9.2"
+end

data/lib/fluent/plugin/in_netflow.rb

@@ -0,0 +1,115 @@
+#
+# Fluent
+#
+# Copyright (C) 2014 Masahiro Nakagawa
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+module Fluent
+  class NetflowInput < Input
+    Plugin.register_input('netflow', self)
+
+    def initialize
+      super
+      require 'cool.io'
+      require 'fluent/plugin/socket_util'
+      require 'fluent/plugin/parser_netflow'
+    end
+
+    config_param :port, :integer, :default => 5140
+    config_param :bind, :string, :default => '0.0.0.0'
+    config_param :tag, :string
+    config_param :protocol_type, :default => :udp do |val|
+      case val.downcase
+      when 'udp'
+        :udp
+      else
+        raise ConfigError, "syslog input protocol type should be 'tcp' or 'udp'"
+      end
+    end
+
+    def configure(conf)
+      super
+
+      @parser = TextParser::NetflowParser.new
+      @parser.configure(conf)
+    end
+
+    def start
+      @loop = Coolio::Loop.new
+      @handler = listen(method(:receive_data))
+      @loop.attach(@handler)
+
+      @thread = Thread.new(&method(:run))
+    end
+
+    def shutdown
+      @loop.watchers.each { |w| w.detach }
+      @loop.stop
+      @handler.close
+      @thread.join
+    end
+
+    def run
+      @loop.run
+    rescue
+      log.error "unexpected error", :error=>$!.to_s
+      log.error_backtrace
+    end
+
+    protected
+
+    def receive_data(host, data)
+      @parser.call(data) { |time, record|
+        unless time && record
+          log.warn "pattern not match: #{text.inspect}"
+          return
+        end
+
+        record['host'] = host
+        Engine.emit(tag, time, record)
+      }
+    rescue
+      log.warn data.dump, :error => $!.to_s
+      log.debug_backtrace
+    end
+
+    private
+
+    def listen(callback)
+      log.debug "listening syslog socket on #{@bind}:#{@port} with #{@protocol_type}"
+      if @protocol_type == :udp
+        @usock = SocketUtil.create_udp_socket(@bind)
+        @usock.bind(@bind, @port)
+        UdpHandler.new(@usock, callback)
+      else
+        Coolio::TCPServer.new(@bind, @port, TcpHandler, log, callback)
+      end
+    end
+
+    class UdpHandler < Coolio::IO
+      def initialize(io, callback)
+        super(io)
+        @io = io
+        @callback = callback
+      end
+
+      def on_readable
+        msg, addr = @io.recvfrom_nonblock(4096)
+        @callback.call(addr[3], msg)
+      rescue
+        # TODO log?
+      end
+    end
+  end
+end

data/lib/fluent/plugin/netflow.yaml

@@ -0,0 +1,215 @@
+---
+1:
+- 4
+- :in_bytes
+2:
+- 4
+- :in_pkts
+3:
+- 4
+- :flows
+4:
+- :uint8
+- :protocol
+5:
+- :uint8
+- :src_tos
+6:
+- :uint8
+- :tcp_flags
+7:
+- :uint16
+- :l4_src_port
+8:
+- :ip4_addr
+- :ipv4_src_addr
+9:
+- :uint8
+- :src_mask
+10:
+- 2
+- :input_snmp
+11:
+- :uint16
+- :l4_dst_port
+12:
+- :ip4_addr
+- :ipv4_dst_addr
+13:
+- :uint8
+- :dst_mask
+14:
+- 2
+- :output_snmp
+15:
+- :ip4_addr
+- :ipv4_next_hop
+16:
+- 2
+- :src_as
+17:
+- 2
+- :dst_as
+18:
+- :ip4_addr
+- :bgp_ipv4_next_hop
+19:
+- 4
+- :mul_dst_pkts
+20:
+- 4
+- :mul_dst_bytes
+21:
+- :uint32
+- :last_switched
+22:
+- :uint32
+- :first_switched
+23:
+- 4
+- :out_bytes
+24:
+- 4
+- :out_pkts
+25:
+- :uint16
+- :min_pkt_length
+26:
+- :uint16
+- :max_pkt_length
+27:
+- :ip6_addr
+- :ipv6_src_addr
+28:
+- :ip6_addr
+- :ipv6_dst_addr
+29:
+- :uint8
+- :ipv6_src_mask
+30:
+- :uint8
+- :ipv6_dst_mask
+31:
+- :uint24
+- :ipv6_flow_label
+32:
+- :uint16
+- :icmp_type
+33:
+- :uint8
+- :mul_igmp_type
+34:
+- :uint32
+- :sampling_interval
+35:
+- :uint8
+- :sampling_algorithm
+36:
+- :uint16
+- :flow_active_timeout
+37:
+- :uint16
+- :flow_inactive_timeout
+38:
+- :uint8
+- :engine_type
+39:
+- :uint8
+- :engine_id
+40:
+- 4
+- :total_bytes_exp
+41:
+- 4
+- :total_pkts_exp
+42:
+- 4
+- :total_flows_exp
+43:
+- :skip
+44:
+- :ip4_addr
+- :ipv4_src_prefix
+45:
+- :ip4_addr
+- :ipv4_dst_prefix
+46:
+- :uint8
+- :mpls_top_label_type
+47:
+- :uint32
+- :mpls_top_label_ip_addr
+48:
+- 4
+- :flow_sampler_id
+49:
+- :uint8
+- :flow_sampler_mode
+50:
+- :uint32
+- :flow_sampler_random_interval
+51:
+- :skip
+52:
+- :uint8
+- :min_ttl
+53:
+- :uint8
+- :max_ttl
+54:
+- :uint16
+- :ipv4_ident
+55:
+- :uint8
+- :dst_tos
+56:
+- :mac_addr
+- :in_src_max
+57:
+- :mac_addr
+- :out_dst_max
+58:
+- :uint16
+- :src_vlan
+59:
+- :uint16
+- :dst_vlan
+60:
+- :uint8
+- :ip_protocol_version
+61:
+- :uint8
+- :direction
+62:
+- :ip6_addr
+- :ipv6_next_hop
+63:
+- :ip6_addr
+- :bgp_ipv6_next_hop
+64:
+- :uint32
+- :ipv6_option_headers
+64:
+- :skip
+65:
+- :skip
+66:
+- :skip
+67:
+- :skip
+68:
+- :skip
+69:
+- :skip
+80:
+- :mac_addr
+- :in_dst_mac
+81:
+- :mac_addr
+- :out_src_mac
+82:
+- :string
+- :if_name
+83:
+- :string
+- :if_desc

data/lib/fluent/plugin/parser_netflow.rb

@@ -0,0 +1,448 @@
+require "bindata"
+require "ipaddr"
+require 'yaml'
+
+require 'fluent/parser'
+
+module Fluent
+  class TextParser
+    # port from logstash's netflow parser
+    class NetflowParser
+      include Configurable
+
+      config_param :cache_ttl, :integer, :default => 4000
+      config_param :versions, :default => [5, 9] do |param|
+        if param.is_a?(Array)
+          param
+        else
+          param.split(".").map(&:to_i)
+        end
+      end
+      config_param :definitions, :string, :default => nil
+
+      def configure(conf)
+        super
+
+        @templates = Vash.new()
+        # Path to default Netflow v9 field definitions
+        filename = File.expand_path('../netflow.yaml', __FILE__)
+
+        begin
+          @fields = YAML.load_file(filename)
+        rescue Exception => e
+          raise "Bad syntax in definitions file #{filename}"
+        end
+
+        # Allow the user to augment/override/rename the supported Netflow fields
+        if @definitions
+          raise "definitions file #{@definitions} does not exists" unless File.exist?(@definitions)
+          begin
+            @fields.merge!(YAML.load_file(@definitions))
+          rescue Exception => e
+            raise "Bad syntax in definitions file #{@definitions}"
+          end
+        end
+      end
+
+      def call(payload)
+        header = Header.read(payload)
+        unless @versions.include?(header.version)
+          $log.warn "Ignoring Netflow version v#{header.version}"
+          return
+        end
+
+        if header.version == 5
+          flowset = Netflow5PDU.read(payload)
+        elsif header.version == 9
+          flowset = Netflow9PDU.read(payload)
+        else
+          $log.warn "Unsupported Netflow version v#{header.version}"
+          return
+        end
+
+        flowset.records.each do |record|
+          if flowset.version == 5
+            event = {}
+
+            # FIXME Probably not doing this right WRT JRuby?
+            #
+            # The flowset header gives us the UTC epoch seconds along with
+            # residual nanoseconds so we can set @timestamp to that easily
+            time = flowset.unix_sec
+
+            # Copy some of the pertinent fields in the header to the event
+            ['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records'].each do |f|
+              event[f] = flowset[f]
+            end
+
+            # Create fields in the event from each field in the flow record
+            record.each_pair do |k,v|
+              case k.to_s
+              when /_switched$/
+                # The flow record sets the first and last times to the device
+                # uptime in milliseconds. Given the actual uptime is provided
+                # in the flowset header along with the epoch seconds we can
+                # convert these into absolute times
+                millis = flowset.uptime - v
+                seconds = flowset.unix_sec - (millis / 1000)
+                micros = (flowset.unix_nsec / 1000) - (millis % 1000)
+                if micros < 0
+                  seconds--
+                    micros += 1000000
+                end
+
+                # FIXME Again, probably doing this wrong WRT JRuby?
+                event[k.to_s] = Time.at(seconds, micros).utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
+              else
+                event[k.to_s] = v
+              end
+            end
+
+            yield time, event
+          elsif flowset.version == 9
+            case record.flowset_id
+            when 0
+              # Template flowset
+              record.flowset_data.templates.each do |template|
+                catch (:field) do
+                  fields = []
+                  template.fields.each do |field|
+                    entry = netflow_field_for(field.field_type, field.field_length)
+                    if !entry
+                      throw :field
+                    end
+                    fields += entry
+                  end
+                  # We get this far, we have a list of fields
+                  #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
+                  key = "#{flowset.source_id}|#{template.template_id}"
+                  @templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+                  # Purge any expired templates
+                  @templates.cleanup!
+                end
+              end
+            when 1
+              # Options template flowset
+              record.flowset_data.templates.each do |template|
+                catch (:field) do
+                  fields = []
+                  template.option_fields.each do |field|
+                    entry = netflow_field_for(field.field_type, field.field_length)
+                    if ! entry
+                      throw :field
+                    end
+                    fields += entry
+                  end
+                  # We get this far, we have a list of fields
+                  #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
+                  key = "#{flowset.source_id}|#{template.template_id}"
+                  @templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+                  # Purge any expired templates
+                  @templates.cleanup!
+                end
+              end
+            when 256..65535
+              # Data flowset
+              #key = "#{flowset.source_id}|#{event["source"]}|#{record.flowset_id}"
+              key = "#{flowset.source_id}|#{record.flowset_id}"
+              template = @templates[key]
+              if ! template
+                #$log.warn("No matching template for flow id #{record.flowset_id} from #{event["source"]}")
+                $log.warn("No matching template for flow id #{record.flowset_id}")
+                next
+              end
+
+              length = record.flowset_length - 4
+
+              # Template shouldn't be longer than the record and there should
+              # be at most 3 padding bytes
+              if template.num_bytes > length or ! (length % template.num_bytes).between?(0, 3)
+                $log.warn("Template length doesn't fit cleanly into flowset", :template_id => record.flowset_id, :template_length => template.num_bytes, :record_length => length)
+                next
+              end
+
+              array = BinData::Array.new(:type => template, :initial_length => length / template.num_bytes)
+
+              records = array.read(record.flowset_data)
+              records.each do |r|
+                time = flowset.unix_sec
+                event = {}
+
+                # Fewer fields in the v9 header
+                ['version', 'flow_seq_num'].each do |f|
+                  event[f] = flowset[f]
+                end
+
+                event['flowset_id'] = record.flowset_id
+
+                r.each_pair do |k,v|
+                  case k.to_s
+                  when /_switched$/
+                    millis = flowset.uptime - v
+                    seconds = flowset.unix_sec - (millis / 1000)
+                    # v9 did away with the nanosecs field
+                    micros = 1000000 - (millis % 1000)
+                    event[k.to_s] = Time.at(seconds, micros).utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
+                  else
+                    event[k.to_s] = v
+                  end
+                end
+
+                yield time, event
+              end
+            else
+              $log.warn("Unsupported flowset id #{record.flowset_id}")
+            end
+          end
+        end
+      end
+
+      private
+
+      def uint_field(length, default)
+        # If length is 4, return :uint32, etc. and use default if length is 0
+        ("uint" + (((length > 0) ? length : default) * 8).to_s).to_sym
+      end
+
+      def netflow_field_for(type, length)
+        if @fields.include?(type)
+          field = @fields[type]
+          if field.is_a?(Array)
+
+            if field[0].is_a?(Integer)
+              field[0] = uint_field(length, field[0])
+            end
+
+            # Small bit of fixup for skip or string field types where the length
+            # is dynamic
+            case field[0]
+            when :skip
+              field += [nil, {:length => length}]
+            when :string
+              field += [{:length => length, :trim_padding => true}]
+            end
+
+            [field]
+          else
+            $log.warn("Definition should be an array", :field => field)
+            nil
+          end
+        else
+          $log.warn("Unsupported field", :type => type, :length => length)
+          nil
+        end
+      end
+
+      class IP4Addr < BinData::Primitive
+        endian :big
+        uint32 :storage
+
+        def set(val)
+          ip = IPAddr.new(val)
+          if ! ip.ipv4?
+            raise ArgumentError, "invalid IPv4 address '#{val}'"
+          end
+          self.storage = ip.to_i
+        end
+
+        def get
+          IPAddr.new_ntoh([self.storage].pack('N')).to_s
+        end
+      end
+
+      class IP6Addr < BinData::Primitive
+        endian  :big
+        uint128 :storage
+
+        def set(val)
+          ip = IPAddr.new(val)
+          if ! ip.ipv6?
+            raise ArgumentError, "invalid IPv6 address `#{val}'"
+          end
+          self.storage = ip.to_i
+        end
+
+        def get
+          IPAddr.new_ntoh((0..7).map { |i|
+              (self.storage >> (112 - 16 * i)) & 0xffff
+            }.pack('n8')).to_s
+        end
+      end
+
+      class MacAddr < BinData::Primitive
+        array :bytes, :type => :uint8, :initial_length => 6
+
+        def set(val)
+          ints = val.split(/:/).collect { |int| int.to_i(16) }
+          self.bytes = ints
+        end
+
+        def get
+          self.bytes.collect { |byte| byte.to_s(16) }.join(":")
+        end
+      end
+
+      class Header < BinData::Record
+        endian :big
+        uint16 :version
+      end
+
+      class Netflow5PDU < BinData::Record
+        endian :big
+        uint16 :version
+        uint16 :flow_records
+        uint32 :uptime
+        uint32 :unix_sec
+        uint32 :unix_nsec
+        uint32 :flow_seq_num
+        uint8  :engine_type
+        uint8  :engine_id
+        bit2   :sampling_algorithm
+        bit14  :sampling_interval
+        array  :records, :initial_length => :flow_records do
+          ip4_addr :ipv4_src_addr
+          ip4_addr :ipv4_dst_addr
+          ip4_addr :ipv4_next_hop
+          uint16   :input_snmp
+          uint16   :output_snmp
+          uint32   :in_pkts
+          uint32   :in_bytes
+          uint32   :first_switched
+          uint32   :last_switched
+          uint16   :l4_src_port
+          uint16   :l4_dst_port
+          skip     :length => 1
+          uint8    :tcp_flags # Split up the TCP flags maybe?
+          uint8    :protocol
+          uint8    :src_tos
+          uint16   :src_as
+          uint16   :dst_as
+          uint8    :src_mask
+          uint8    :dst_mask
+          skip     :length => 2
+        end
+      end
+
+      class TemplateFlowset < BinData::Record
+        endian :big
+        array  :templates, :read_until => lambda { array.num_bytes == flowset_length - 4 } do
+          uint16 :template_id
+          uint16 :field_count
+          array  :fields, :initial_length => :field_count do
+            uint16 :field_type
+            uint16 :field_length
+          end
+        end
+      end
+
+      class OptionFlowset < BinData::Record
+        endian :big
+        array  :templates, :read_until => lambda { flowset_length - 4 - array.num_bytes <= 2 } do
+          uint16 :template_id
+          uint16 :scope_length
+          uint16 :option_length
+          array  :scope_fields, :initial_length => lambda { scope_length / 4 } do
+            uint16 :field_type
+            uint16 :field_length
+          end
+          array  :option_fields, :initial_length => lambda { option_length / 4 } do
+            uint16 :field_type
+            uint16 :field_length
+          end
+        end
+        skip   :length => lambda { templates.length.odd? ? 2 : 0 }
+      end
+
+      class Netflow9PDU < BinData::Record
+        endian :big
+        uint16 :version
+        uint16 :flow_records
+        uint32 :uptime
+        uint32 :unix_sec
+        uint32 :flow_seq_num
+        uint32 :source_id
+        array  :records, :read_until => :eof do
+          uint16 :flowset_id
+          uint16 :flowset_length
+          choice :flowset_data, :selection => :flowset_id do
+            template_flowset 0
+            option_flowset   1
+            string           :default, :read_length => lambda { flowset_length - 4 }
+          end
+        end
+      end
+
+      # https://gist.github.com/joshaven/184837
+      class Vash < Hash
+        def initialize(constructor = {})
+          @register ||= {}
+          if constructor.is_a?(Hash)
+            super()
+            merge(constructor)
+          else
+            super(constructor)
+          end
+        end
+
+        alias_method :regular_writer, :[]= unless method_defined?(:regular_writer)
+        alias_method :regular_reader, :[] unless method_defined?(:regular_reader)
+
+        def [](key)
+          sterilize(key)
+          clear(key) if expired?(key)
+          regular_reader(key)
+        end
+
+        def []=(key, *args)
+          if args.length == 2
+            value, ttl = args[1], args[0]
+          elsif args.length == 1
+            value, ttl = args[0], 60
+          else
+            raise ArgumentError, "Wrong number of arguments, expected 2 or 3, received: #{args.length+1}\n"+
+              "Example Usage:  volatile_hash[:key]=value OR volatile_hash[:key, ttl]=value"
+          end
+          sterilize(key)
+          ttl(key, ttl)
+          regular_writer(key, value)
+        end
+
+        def merge(hsh)
+          hsh.map {|key,value| self[sterile(key)] = hsh[key]}
+          self
+        end
+
+        def cleanup!
+          now = Time.now.to_i
+          @register.map {|k,v| clear(k) if v < now}
+        end
+
+        def clear(key)
+          sterilize(key)
+          @register.delete key
+          self.delete key
+        end
+
+        private
+
+        def expired?(key)
+          Time.now.to_i > @register[key].to_i
+        end
+
+        def ttl(key, secs=60)
+          @register[key] = Time.now.to_i + secs.to_i
+        end
+
+        def sterile(key)
+          String === key ? key.chomp('!').chomp('=') : key.to_s.chomp('!').chomp('=').to_sym
+        end
+
+        def sterilize(key)
+          key = sterile(key)
+        end
+      end
+    end
+
+    register_template('netflow', self)
+  end
+end

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-netflow
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Masahiro Nakagawa
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-06-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.17
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.17
+- !ruby/object:Gem::Dependency
+  name: bindata
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+description: Netflow plugin for Fluentd
+email: repeatedly@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- VERSION
+- fluent-plugin-netflow.gemspec
+- lib/fluent/plugin/in_netflow.rb
+- lib/fluent/plugin/netflow.yaml
+- lib/fluent/plugin/parser_netflow.rb
+homepage: https://github.com/repeatedly/fluent-plugin-netflow
+licenses:
+- Apache License (2.0)
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Netflow plugin for Fluentd
+test_files: []