fluent-plugin-netflow 0.2.4 → 0.2.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/VERSION +1 -1
  3. data/lib/fluent/plugin/netflow_fields.yaml +24 -0
  4. data/lib/fluent/plugin/parser_netflow.rb +63 -4
  5. data/test/dump/netflow.v9.flowStartMilliseconds.dump +0 -0
  6. data/test/dump/netflow.v9.template.flowStartMilliseconds.dump +0 -0
  7. data/test/test_parser_netflow9.rb +53 -0
  8. metadata +6 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f06418df4a7d69f282cb471bd2d22600f9dddcd0
4
- data.tar.gz: 8415b306a91bcc75381d91d75abe71cd80cd8d7d
3
+ metadata.gz: a34d06ac33120af173b0714f9c31a41d64a7cd3e
4
+ data.tar.gz: 0352fe4cc2a9a46035b7ad979e59298aedba5e19
5
5
  SHA512:
6
- metadata.gz: 55b678d070a64df3b05e69f1d69638e24f04838e20e39ae2a67d6ce7213ee2d4200cab55954d6a3609c430985720c140ad01f9b5bc4b72620e8eb5653b579cb7
7
- data.tar.gz: 68241c08abffa8fa0f43a60010a465eb52fa938ebc2b32606ee1d9f2e180d632fd2fafa8f3d4a91e4e8db7a08f330fae25540a7ffbe42b7c54a239b97a79252d
6
+ metadata.gz: 16adee7943e249eca0669fe08631e1930d67b442edb752a8c8d095321bff41a158e914e868f26eac24857756d24821f03ee9970a6cac7ca73bf39502d6addd79
7
+ data.tar.gz: 56fc1e35b2ddcaaa7d92098e4818ce486a024dea4d956f437ee16c26c482f40761dd522fe14c5ab01b6e8e53b2a1ed86220ad33a2beeabff954aeb5c18b9f8df
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.2.4
1
+ 0.2.5
data/lib/fluent/plugin/netflow_fields.yaml CHANGED
@@ -254,6 +254,30 @@ option:
254
254
  95:
255
255
  - 4
256
256
  - :app_id
257
+ 150:
258
+ - :uint32
259
+ - :flowStartSeconds
260
+ 151:
261
+ - :uint32
262
+ - :flowEndSeconds
263
+ 152:
264
+ - :uint64
265
+ - :flowStartMilliseconds
266
+ 153:
267
+ - :uint64
268
+ - :flowEndMilliseconds
269
+ 154:
270
+ - :uint64
271
+ - :flowStartMicroseconds
272
+ 155:
273
+ - :uint64
274
+ - :flowEndMicroseconds
275
+ 156:
276
+ - :uint64
277
+ - :flowStartNanoseconds
278
+ 157:
279
+ - :uint64
280
+ - :flowEndNanoseconds
257
281
  234:
258
282
  - :uint32
259
283
  - :ingress_vrf_id
data/lib/fluent/plugin/parser_netflow.rb CHANGED
@@ -82,6 +82,22 @@ module Fluent
82
82
  time.utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
83
83
  end
84
84
 
85
+ def format_for_flowSeconds(time)
86
+ time.utc.strftime("%Y-%m-%dT%H:%M:%S")
87
+ end
88
+
89
+ def format_for_flowMilliSeconds(time)
90
+ time.utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
91
+ end
92
+
93
+ def format_for_flowMicroSeconds(time)
94
+ time.utc.strftime("%Y-%m-%dT%H:%M:%S.%6NZ")
95
+ end
96
+
97
+ def format_for_flowNanoSeconds(time)
98
+ time.utc.strftime("%Y-%m-%dT%H:%M:%S.%9NZ")
99
+ end
100
+
85
101
  NETFLOW_V5_HEADER_FORMAT = 'nnNNNNnn'
86
102
  NETFLOW_V5_HEADER_BYTES = 24
87
103
  NETFLOW_V5_RECORD_FORMAT = 'NNNnnNNNNnnnnnnnxx'
@@ -283,10 +299,53 @@ module Fluent
283
299
 
284
300
  event['flowset_id'] = flowset.flowset_id
285
301
 
286
- r.each_pair {|k,v| event[k.to_s] = v }
287
- unless @switched_times_from_uptime
288
- event['first_switched'] = format_for_switched(msec_from_boot_to_time(event['first_switched'], pdu.uptime, time, 0)) if event['first_switched']
289
- event['last_switched'] = format_for_switched(msec_from_boot_to_time(event['last_switched'], pdu.uptime, time, 0)) if event['last_switched']
302
+ r.each_pair do |k, v|
303
+ case k
304
+ when :first_switched
305
+ unless @switched_times_from_uptime
306
+ event[k.to_s] = format_for_switched(msec_from_boot_to_time(v.snapshot, pdu.uptime, time, 0))
307
+ end
308
+ when :last_switched
309
+ unless @switched_times_from_uptime
310
+ event[k.to_s] = format_for_switched(msec_from_boot_to_time(v.snapshot, pdu.uptime, time, 0))
311
+ end
312
+ when :flowStartSeconds
313
+ event[k.to_s] = format_for_flowSeconds(Time.at(v.snapshot, 0))
314
+ when :flowEndSeconds
315
+ event[k.to_s] = format_for_flowSeconds(Time.at(v.snapshot, 0))
316
+ when :flowStartMilliseconds
317
+ divisor = 1_000
318
+ microseconds = (v.snapshot % 1_000) * 1_000
319
+ event[k.to_s] = format_for_flowMilliSeconds(Time.at(v.snapshot / divisor, microseconds))
320
+ when :flowEndMilliseconds
321
+ divisor = 1_000
322
+ microseconds = (v.snapshot % 1_000) * 1_000
323
+ event[k.to_s] = format_for_flowMilliSeconds(Time.at(v.snapshot / divisor, microseconds))
324
+ when :flowStartMicroseconds
325
+ divisor = 1_000_000
326
+ microseconds = (v.snapshot % 1_000_000)
327
+ event[k.to_s] = format_for_flowMicroSeconds(Time.at(v.snapshot / divisor, microseconds))
328
+ when :flowEndMicroseconds
329
+ divisor = 1_000_000
330
+ microseconds = (v.snapshot % 1_000_000)
331
+ event[k.to_s] = format_for_flowMicroSeconds(Time.at(v.snapshot / divisor, microseconds))
332
+ when :flowStartNanoseconds
333
+ divisor = 1_000_000_000
334
+ microseconds = (v.snapshot % 1_000_000_000) / 1_000
335
+ nanoseconds = v.snapshot % 1_000_000_000
336
+ time_with_nano = Time.at(v.snapshot / divisor, microseconds)
337
+ time_with_nano.nsec = nanoseconds
338
+ event[k.to_s] = format_for_flowNanoSeconds(time_with_nano)
339
+ when :flowEndNanoseconds
340
+ divisor = 1_000_000_000
341
+ microseconds = (v.snapshot % 1_000_000_000) / 1_000
342
+ nanoseconds = v.snapshot % 1_000_000_000
343
+ time_with_nano = Time.at(v.snapshot / divisor, microseconds)
344
+ time_with_nano.nsec = nanoseconds
345
+ event[k.to_s] = format_for_flowNanoSeconds(time_with_nano)
346
+ else
347
+ event[k.to_s] = v.snapshot
348
+ end
290
349
  end
291
350
 
292
351
  if sampler_id = r['flow_sampler_id']
data/test/test_parser_netflow9.rb CHANGED
@@ -15,6 +15,10 @@ class Netflow9ParserTest < Test::Unit::TestCase
15
15
  @raw_template ||= File.read(File.expand_path('../dump/netflow.v9.template.dump', __FILE__))
16
16
  end
17
17
 
18
+ def raw_flowStartMilliseconds_template
19
+ @raw_flowStartMilliseconds_template ||= File.read(File.expand_path('../dump/netflow.v9.template.flowStartMilliseconds.dump', __FILE__))
20
+ end
21
+
18
22
  def raw_mpls_template
19
23
  @raw_mpls_template ||= File.read(File.expand_path('../dump/netflow.v9.mpls-template.dump', __FILE__))
20
24
  end
@@ -23,6 +27,10 @@ class Netflow9ParserTest < Test::Unit::TestCase
23
27
  @raw_data ||= File.read(File.expand_path('../dump/netflow.v9.dump', __FILE__))
24
28
  end
25
29
 
30
+ def raw_flowStartMilliseconds_data
31
+ @raw_flowStartMilliseconds_data ||= File.read(File.expand_path('../dump/netflow.v9.flowStartMilliseconds.dump', __FILE__))
32
+ end
33
+
26
34
  def raw_mpls_data
27
35
  @raw_mpls_data ||= File.read(File.expand_path('../dump/netflow.v9.mpls-data.dump', __FILE__))
28
36
  end
@@ -95,6 +103,51 @@ class Netflow9ParserTest < Test::Unit::TestCase
95
103
  assert_equal expected_record, parsed.first[1]
96
104
  end
97
105
 
106
+ test 'parse netflow v9 binary data (flowStartMilliseconds)' do
107
+ parser = create_parser
108
+
109
+ parsed = []
110
+ parser.call raw_flowStartMilliseconds_template, DEFAULT_HOST
111
+ parser.call(raw_flowStartMilliseconds_data, DEFAULT_HOST) do |time, record|
112
+ parsed << [time, record]
113
+ end
114
+
115
+ assert_equal 1, parsed.size
116
+ assert_equal Time.parse('2016-02-12T04:02:25Z').to_i, parsed.first[0]
117
+ expected_record = {
118
+ # header
119
+ 'version' => 9,
120
+ 'flow_seq_num' => 4645895,
121
+ 'flowset_id' => 261,
122
+
123
+ # flowset
124
+ 'in_pkts' => 1,
125
+ 'in_bytes' => 60,
126
+ 'ipv4_src_addr' => '192.168.0.1',
127
+ 'ipv4_dst_addr' => '192.168.0.2',
128
+ 'input_snmp' => 54,
129
+ 'output_snmp' => 29,
130
+ 'flowEndMilliseconds' => '2016-02-12T04:02:09.053Z',
131
+ 'flowStartMilliseconds' => '2016-02-12T04:02:09.053Z',
132
+ 'l4_src_port' => 80,
133
+ 'l4_dst_port' => 32822,
134
+ 'src_as' => 0,
135
+ 'dst_as' => 65000,
136
+ 'bgp_ipv4_next_hop' => '192.168.0.3',
137
+ 'src_mask' => 24,
138
+ 'dst_mask' => 24,
139
+ 'protocol' => 6,
140
+ 'tcp_flags' => 0x12,
141
+ 'src_tos' => 0x0,
142
+ 'direction' => 0,
143
+ 'forwarding_status' => 0b01000000,
144
+ 'flow_sampler_id' => 1,
145
+ 'ingress_vrf_id' => 1610612736,
146
+ 'egress_vrf_id' => 1610612736
147
+ }
148
+ assert_equal expected_record, parsed.first[1]
149
+ end
150
+
98
151
  test 'parse netflow v9 binary data after sampler data is cached' do
99
152
  parser = create_parser
100
153
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-netflow
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.4
4
+ version: 0.2.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Masahiro Nakagawa
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-08-23 00:00:00.000000000 Z
11
+ date: 2016-11-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: fluentd
@@ -93,12 +93,14 @@ files:
93
93
  - lib/fluent/plugin/vash.rb
94
94
  - test/dump/netflow.v5.dump
95
95
  - test/dump/netflow.v9.dump
96
+ - test/dump/netflow.v9.flowStartMilliseconds.dump
96
97
  - test/dump/netflow.v9.mpls-data.dump
97
98
  - test/dump/netflow.v9.mpls-template.dump
98
99
  - test/dump/netflow.v9.sampler.dump
99
100
  - test/dump/netflow.v9.sampler_template.dump
100
101
  - test/dump/netflow.v9.template.as2.dump
101
102
  - test/dump/netflow.v9.template.dump
103
+ - test/dump/netflow.v9.template.flowStartMilliseconds.dump
102
104
  - test/helper.rb
103
105
  - test/test_in_netflow.rb
104
106
  - test/test_parser_netflow.rb
@@ -130,12 +132,14 @@ summary: Netflow plugin for Fluentd
130
132
  test_files:
131
133
  - test/dump/netflow.v5.dump
132
134
  - test/dump/netflow.v9.dump
135
+ - test/dump/netflow.v9.flowStartMilliseconds.dump
133
136
  - test/dump/netflow.v9.mpls-data.dump
134
137
  - test/dump/netflow.v9.mpls-template.dump
135
138
  - test/dump/netflow.v9.sampler.dump
136
139
  - test/dump/netflow.v9.sampler_template.dump
137
140
  - test/dump/netflow.v9.template.as2.dump
138
141
  - test/dump/netflow.v9.template.dump
142
+ - test/dump/netflow.v9.template.flowStartMilliseconds.dump
139
143
  - test/helper.rb
140
144
  - test/test_in_netflow.rb
141
145
  - test/test_parser_netflow.rb