logstash-codec-netflow 3.2.0 → 3.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/logstash/codecs/netflow.rb +12 -10
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/netflow_spec.rb +5 -5
- metadata +31 -33
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8eed13d17d78bcdbbb2788a458fb2d6109e3dfce
|
4
|
+
data.tar.gz: 3886e83de50aded411f7d5ee26832f56998fbd8b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 15b4bacc7bb1d6263cb9ec4f67ea360b5c0686503ace7442a75b8da99090865cf2e6753cf43a465132b5b42b010afede5607e67ae19f7a78e07c67fd62735d07
|
7
|
+
data.tar.gz: 7442867f8718b82330cb1a7c8592ea3c1367e14f1f12966a4db788a751d5a802638706a5c20ce7ccb8cd5e937cf65b210b90fae2c4dde0a5a089430608e17f83
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
## 3.2.1
|
2
|
+
|
3
|
+
- Fix/Refactor IPFIX microsecond/nanosecond interpretation (NTP Timestamp based)
|
4
|
+
- Note a possible bug in Netscaler implementation where the fraction is proabably output as microseconds
|
5
|
+
- Correct rspec testing for new/correct implementation of microseconds, never noticed the insane values before, mea culpa
|
6
|
+
|
1
7
|
## 3.2.0
|
2
8
|
|
3
9
|
- Add Netflow v9/v10 template caching, configurable TTL
|
@@ -414,16 +414,18 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
414
414
|
when /^flow(?:Start|End)Seconds$/
|
415
415
|
event[@target][k.to_s] = LogStash::Timestamp.at(v.snapshot).to_iso8601
|
416
416
|
when /^flow(?:Start|End)(Milli|Micro|Nano)seconds$/
|
417
|
-
|
418
|
-
|
419
|
-
|
420
|
-
|
421
|
-
|
422
|
-
|
423
|
-
|
424
|
-
|
425
|
-
|
426
|
-
|
417
|
+
case $1
|
418
|
+
when 'Milli'
|
419
|
+
event[@target][k.to_s] = LogStash::Timestamp.at(v.snapshot.to_f / 1_000).to_iso8601
|
420
|
+
when 'Micro', 'Nano'
|
421
|
+
# For now we'll stick to assuming ntp timestamps,
|
422
|
+
# Netscaler implementation may be buggy though:
|
423
|
+
# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11047
|
424
|
+
# This only affects the fraction though
|
425
|
+
ntp_seconds = (v.snapshot >> 32) & 0xFFFFFFFF
|
426
|
+
ntp_fraction = (v.snapshot & 0xFFFFFFFF).to_f / 2**32
|
427
|
+
event[@target][k.to_s] = LogStash::Timestamp.at(Time.utc(1900,1,1).to_i + ntp_seconds, ntp_fraction * 1000000).to_iso8601
|
428
|
+
end
|
427
429
|
else
|
428
430
|
event[@target][k.to_s] = v.snapshot
|
429
431
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '3.2.
|
4
|
+
s.version = '3.2.1'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -984,7 +984,7 @@ describe LogStash::Codecs::Netflow do
|
|
984
984
|
"netscalerHttpReqUserAgent": "Mozilla/5.0 (Commodore 64; kobo.com) Gecko/20100101 Firefox/75.0",
|
985
985
|
"destinationTransportPort": 443,
|
986
986
|
"netscalerHttpReqCookie": "beer=123456789abcdefghijklmnopqrstuvw; AnotherCookie=1234567890abcdefghijklmnopqr; Shameless.Plug=Thankyou.Rakuten.Kobo.Inc.For.Allowing.me.time.to.work.on.this.and.contribute.back.to.the.community; Padding=aaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbccccccccccccccddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffgggggggggggggggggggggggghhhhhhhhhhhhhhhhhiiiiiiiiiiiiiiiiiiiiiijjjjjjjjjjjjjjjjjjjjjjjjkkkkkkkkkkkkkkkkkklllllllllllllllmmmmmmmmmm; more=less; GJquote=There.is.no.spoon; GarrySays=Nice!!; LastPadding=aaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbcccccccccccccccccccdddddddddddeeeeeeee",
|
987
|
-
"flowEndMicroseconds": "
|
987
|
+
"flowEndMicroseconds": "2016-11-11T12:09:19.000Z",
|
988
988
|
"netscalerHttpReqUrl": "/aa/bb/ccccc/ddddddddddddddddddddddddd",
|
989
989
|
"sourceIPv4Address": "192.168.0.1",
|
990
990
|
"netscalerHttpReqMethod": "GET",
|
@@ -1003,7 +1003,7 @@ describe LogStash::Codecs::Netflow do
|
|
1003
1003
|
"netscalerHttpReqVia": "1.1 akamai.net(ghost) (AkamaiGHost)",
|
1004
1004
|
"netscalerConnectionId": 14460661,
|
1005
1005
|
"tcpControlBits": 24,
|
1006
|
-
"flowStartMicroseconds": "
|
1006
|
+
"flowStartMicroseconds": "2016-11-11T12:09:19.000Z",
|
1007
1007
|
"ingressInterface": 8,
|
1008
1008
|
"version": 10,
|
1009
1009
|
"packetDeltaCount": 2,
|
@@ -1031,7 +1031,7 @@ describe LogStash::Codecs::Netflow do
|
|
1031
1031
|
expect(decode[0].get("[netflow][version]")).to eq(10)
|
1032
1032
|
expect(decode[0].get("[netflow][sourceIPv4Address]")).to eq('192.168.0.1')
|
1033
1033
|
expect(decode[0].get("[netflow][destinationIPv4Address]")).to eq('10.0.0.1')
|
1034
|
-
expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('
|
1034
|
+
expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('2016-11-11T12:09:19.000Z')
|
1035
1035
|
expect(decode[0].get("[netflow][netscalerConnectionId]")).to eq(14460661)
|
1036
1036
|
expect(decode[1].get("[netflow][version]")).to eq(10)
|
1037
1037
|
expect(decode[1].get("[netflow][flowId]")).to eq(14460662)
|
@@ -1215,7 +1215,7 @@ describe LogStash::Codecs::Netflow, 'configured with template caching', :order =
|
|
1215
1215
|
it "should decode raw data based on cached templates" do
|
1216
1216
|
expect(decode.size).to eq(3)
|
1217
1217
|
expect(decode[0].get("[netflow][version]")).to eq(10)
|
1218
|
-
expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('
|
1218
|
+
expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('2016-11-11T12:09:19.000Z')
|
1219
1219
|
expect(decode[0].get("[netflow][netscalerConnectionId]")).to eq(14460661)
|
1220
1220
|
expect(decode[1].get("[netflow][version]")).to eq(10)
|
1221
1221
|
expect(decode[1].get("[netflow][observationPointId]")).to eq(167954698)
|
@@ -1256,7 +1256,7 @@ describe LogStash::Codecs::Netflow, 'configured with include_flowset_id for ipfi
|
|
1256
1256
|
it "should decode raw data" do
|
1257
1257
|
expect(decode.size).to eq(3)
|
1258
1258
|
expect(decode[0].get("[netflow][version]")).to eq(10)
|
1259
|
-
expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('
|
1259
|
+
expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('2016-11-11T12:09:19.000Z')
|
1260
1260
|
expect(decode[0].get("[netflow][netscalerConnectionId]")).to eq(14460661)
|
1261
1261
|
expect(decode[1].get("[netflow][version]")).to eq(10)
|
1262
1262
|
expect(decode[1].get("[netflow][observationPointId]")).to eq(167954698)
|
metadata
CHANGED
@@ -1,17 +1,16 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.2.
|
4
|
+
version: 3.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-12-
|
11
|
+
date: 2016-12-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
name: logstash-core-plugin-api
|
15
14
|
requirement: !ruby/object:Gem::Requirement
|
16
15
|
requirements:
|
17
16
|
- - '>='
|
@@ -20,8 +19,9 @@ dependencies:
|
|
20
19
|
- - <=
|
21
20
|
- !ruby/object:Gem::Version
|
22
21
|
version: '2.99'
|
23
|
-
|
22
|
+
name: logstash-core-plugin-api
|
24
23
|
prerelease: false
|
24
|
+
type: :runtime
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
26
26
|
requirements:
|
27
27
|
- - '>='
|
@@ -31,47 +31,54 @@ dependencies:
|
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: '2.99'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
|
-
name: bindata
|
35
34
|
requirement: !ruby/object:Gem::Requirement
|
36
35
|
requirements:
|
37
36
|
- - '>='
|
38
37
|
- !ruby/object:Gem::Version
|
39
38
|
version: 1.5.0
|
40
|
-
|
39
|
+
name: bindata
|
41
40
|
prerelease: false
|
41
|
+
type: :runtime
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
43
43
|
requirements:
|
44
44
|
- - '>='
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: 1.5.0
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
|
-
name: logstash-devutils
|
49
48
|
requirement: !ruby/object:Gem::Requirement
|
50
49
|
requirements:
|
51
50
|
- - '>='
|
52
51
|
- !ruby/object:Gem::Version
|
53
52
|
version: 1.0.0
|
54
|
-
|
53
|
+
name: logstash-devutils
|
55
54
|
prerelease: false
|
55
|
+
type: :development
|
56
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
57
|
requirements:
|
58
58
|
- - '>='
|
59
59
|
- !ruby/object:Gem::Version
|
60
60
|
version: 1.0.0
|
61
|
-
description: This gem is a Logstash plugin required to be installed on top of the
|
62
|
-
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
|
63
|
-
gem is not a stand-alone program
|
61
|
+
description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
|
64
62
|
email: info@elastic.co
|
65
63
|
executables: []
|
66
64
|
extensions: []
|
67
65
|
extra_rdoc_files: []
|
68
66
|
files:
|
67
|
+
- CHANGELOG.md
|
68
|
+
- CONTRIBUTORS
|
69
|
+
- Gemfile
|
70
|
+
- LICENSE
|
71
|
+
- NOTICE.TXT
|
72
|
+
- README.md
|
73
|
+
- lib/logstash/codecs/netflow.rb
|
69
74
|
- lib/logstash/codecs/netflow/iana2yaml.rb
|
70
|
-
- lib/logstash/codecs/netflow/netflow.yaml
|
71
75
|
- lib/logstash/codecs/netflow/ipfix.yaml
|
76
|
+
- lib/logstash/codecs/netflow/netflow.yaml
|
72
77
|
- lib/logstash/codecs/netflow/util.rb
|
73
|
-
-
|
78
|
+
- logstash-codec-netflow.gemspec
|
74
79
|
- spec/codecs/ipfix.dat
|
80
|
+
- spec/codecs/ipfix_test_netscaler_data.dat
|
81
|
+
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
75
82
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
76
83
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
77
84
|
- spec/codecs/netflow5.dat
|
@@ -90,27 +97,18 @@ files:
|
|
90
97
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
91
98
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
92
99
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
93
|
-
- spec/codecs/netflow9_test_valid01.dat
|
94
|
-
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|
95
100
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
|
96
101
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
|
97
|
-
- spec/codecs/
|
98
|
-
- spec/codecs/
|
102
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|
103
|
+
- spec/codecs/netflow9_test_valid01.dat
|
99
104
|
- spec/codecs/netflow_spec.rb
|
100
|
-
- logstash-codec-netflow.gemspec
|
101
|
-
- README.md
|
102
|
-
- CHANGELOG.md
|
103
|
-
- CONTRIBUTORS
|
104
|
-
- Gemfile
|
105
|
-
- LICENSE
|
106
|
-
- NOTICE.TXT
|
107
105
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
108
106
|
licenses:
|
109
107
|
- Apache License (2.0)
|
110
108
|
metadata:
|
111
109
|
logstash_plugin: 'true'
|
112
110
|
logstash_group: codec
|
113
|
-
post_install_message:
|
111
|
+
post_install_message:
|
114
112
|
rdoc_options: []
|
115
113
|
require_paths:
|
116
114
|
- lib
|
@@ -125,13 +123,15 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
125
123
|
- !ruby/object:Gem::Version
|
126
124
|
version: '0'
|
127
125
|
requirements: []
|
128
|
-
rubyforge_project:
|
129
|
-
rubygems_version: 2.
|
130
|
-
signing_key:
|
126
|
+
rubyforge_project:
|
127
|
+
rubygems_version: 2.4.8
|
128
|
+
signing_key:
|
131
129
|
specification_version: 4
|
132
130
|
summary: The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows.
|
133
131
|
test_files:
|
134
132
|
- spec/codecs/ipfix.dat
|
133
|
+
- spec/codecs/ipfix_test_netscaler_data.dat
|
134
|
+
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
135
135
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
136
136
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
137
137
|
- spec/codecs/netflow5.dat
|
@@ -150,10 +150,8 @@ test_files:
|
|
150
150
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
151
151
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
152
152
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
153
|
-
- spec/codecs/netflow9_test_valid01.dat
|
154
|
-
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|
155
153
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
|
156
154
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
|
157
|
-
- spec/codecs/
|
158
|
-
- spec/codecs/
|
155
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|
156
|
+
- spec/codecs/netflow9_test_valid01.dat
|
159
157
|
- spec/codecs/netflow_spec.rb
|