logstash-codec-netflow 3.2.1 → 3.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/CONTRIBUTORS +1 -0
- data/lib/logstash/codecs/netflow/ipfix.yaml +31 -0
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/ipfix_test_vmware_vds_data264.dat +0 -0
- data/spec/codecs/ipfix_test_vmware_vds_data266.dat +0 -0
- data/spec/codecs/ipfix_test_vmware_vds_data266_267.dat +0 -0
- data/spec/codecs/ipfix_test_vmware_vds_tpl.dat +0 -0
- data/spec/codecs/netflow_spec.rb +184 -0
- metadata +10 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 05a98ccdb2cc8a75bdda0d5186e17385e4fbb3f2
|
4
|
+
data.tar.gz: e78c49964d3d50a6904895ec9329da7607dcfc81
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 84be91763bb7159eefb3f924176955deca396b95fbe09a189c1554d892bac06f34591b2147d91302964b29e69441753139e0f859bbc7741b99ec51ba38f0e642
|
7
|
+
data.tar.gz: a2530632510c75b0aa30a153f1f3f199a9c178777e376d2a9dcaf602140de9d866e94775b230e9955c6cbb0921e97aa6da9187d909830a85906b1f82b76b6531
|
data/CHANGELOG.md
CHANGED
data/CONTRIBUTORS
CHANGED
@@ -1866,6 +1866,37 @@
|
|
1866
1866
|
465:
|
1867
1867
|
- :uint32
|
1868
1868
|
- :netscalerUnknown465
|
1869
|
+
6876:
|
1870
|
+
880:
|
1871
|
+
- :uint8
|
1872
|
+
- :vmwareUnknown880
|
1873
|
+
881:
|
1874
|
+
- :uint32
|
1875
|
+
- :vmwareUnknown881
|
1876
|
+
882:
|
1877
|
+
- :uint32
|
1878
|
+
- :vmwareUnknown882
|
1879
|
+
883:
|
1880
|
+
- :string
|
1881
|
+
- :vmwareUnknown883
|
1882
|
+
884:
|
1883
|
+
- :string
|
1884
|
+
- :vmwareUnknown884
|
1885
|
+
886:
|
1886
|
+
- :uint16
|
1887
|
+
- :vmwareUnknown886
|
1888
|
+
887:
|
1889
|
+
- :uint16
|
1890
|
+
- :vmwareUnknown887
|
1891
|
+
888:
|
1892
|
+
- :uint16
|
1893
|
+
- :vmwareUnknown888
|
1894
|
+
889:
|
1895
|
+
- :uint8
|
1896
|
+
- :vmwareUnknown889
|
1897
|
+
890:
|
1898
|
+
- :uint16
|
1899
|
+
- :vmwareUnknown890
|
1869
1900
|
29305:
|
1870
1901
|
1:
|
1871
1902
|
- :uint64
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '3.2.
|
4
|
+
s.version = '3.2.2'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -1062,6 +1062,188 @@ describe LogStash::Codecs::Netflow do
|
|
1062
1062
|
expect(JSON.parse(decode[2].to_json)).to eq(JSON.parse(json_events[0]))
|
1063
1063
|
end
|
1064
1064
|
end
|
1065
|
+
|
1066
|
+
context "IPFIX VMware virtual distributed switch" do
|
1067
|
+
let(:data) do
|
1068
|
+
packets = []
|
1069
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_tpl.dat"), :mode => "rb")
|
1070
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_data264.dat"), :mode => "rb")
|
1071
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_data266.dat"), :mode => "rb")
|
1072
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_data266_267.dat"), :mode => "rb")
|
1073
|
+
end
|
1074
|
+
|
1075
|
+
let(:json_events) do
|
1076
|
+
events = []
|
1077
|
+
events << <<-END
|
1078
|
+
{
|
1079
|
+
"netflow": {
|
1080
|
+
"destinationIPv4Address": "172.18.65.211",
|
1081
|
+
"destinationTransportPort": 5985,
|
1082
|
+
"tcpControlBits": 2,
|
1083
|
+
"vmwareUnknown890": 1,
|
1084
|
+
"sourceIPv4Address": "172.18.65.21",
|
1085
|
+
"ingressInterface": 3,
|
1086
|
+
"ipClassOfService": 0,
|
1087
|
+
"version": 10,
|
1088
|
+
"packetDeltaCount": 2,
|
1089
|
+
"flowEndReason": 1,
|
1090
|
+
"protocolIdentifier": 6,
|
1091
|
+
"flowDirection": 1,
|
1092
|
+
"layer2SegmentId": 0,
|
1093
|
+
"egressInterface": 11,
|
1094
|
+
"octetDeltaCount": 100,
|
1095
|
+
"sourceTransportPort": 61209,
|
1096
|
+
"flowEndMilliseconds": "2016-12-22T12:17:37.000Z",
|
1097
|
+
"maximumTTL": 128,
|
1098
|
+
"vmwareUnknown888": 2,
|
1099
|
+
"flowStartMilliseconds": "2016-12-22T12:17:37.000Z",
|
1100
|
+
"vmwareUnknown889": 0
|
1101
|
+
},
|
1102
|
+
"@timestamp": "2016-12-22T12:17:52.000Z",
|
1103
|
+
"@version": "1"
|
1104
|
+
}
|
1105
|
+
END
|
1106
|
+
|
1107
|
+
events << <<-END
|
1108
|
+
{
|
1109
|
+
"netflow": {
|
1110
|
+
"destinationIPv4Address": "172.18.65.255",
|
1111
|
+
"destinationTransportPort": 138,
|
1112
|
+
"tcpControlBits": 0,
|
1113
|
+
"vmwareUnknown890": 1,
|
1114
|
+
"sourceIPv4Address": "172.18.65.91",
|
1115
|
+
"ingressInterface": 2,
|
1116
|
+
"ipClassOfService": 0,
|
1117
|
+
"version": 10,
|
1118
|
+
"packetDeltaCount": 1,
|
1119
|
+
"flowEndReason": 1,
|
1120
|
+
"protocolIdentifier": 17,
|
1121
|
+
"flowDirection": 1,
|
1122
|
+
"layer2SegmentId": 0,
|
1123
|
+
"egressInterface": 10,
|
1124
|
+
"octetDeltaCount": 229,
|
1125
|
+
"sourceTransportPort": 138,
|
1126
|
+
"flowEndMilliseconds": "2016-12-22T12:17:42.000Z",
|
1127
|
+
"maximumTTL": 128,
|
1128
|
+
"vmwareUnknown888": 2,
|
1129
|
+
"flowStartMilliseconds": "2016-12-22T12:17:42.000Z",
|
1130
|
+
"vmwareUnknown889": 0
|
1131
|
+
},
|
1132
|
+
"@timestamp": "2016-12-22T12:17:56.000Z",
|
1133
|
+
"@version": "1"
|
1134
|
+
}
|
1135
|
+
END
|
1136
|
+
|
1137
|
+
events << <<-END
|
1138
|
+
{
|
1139
|
+
"netflow": {
|
1140
|
+
"destinationIPv4Address": "172.18.65.255",
|
1141
|
+
"destinationTransportPort": 138,
|
1142
|
+
"tcpControlBits": 0,
|
1143
|
+
"vmwareUnknown890": 1,
|
1144
|
+
"sourceIPv4Address": "172.18.65.91",
|
1145
|
+
"ingressInterface": 3,
|
1146
|
+
"ipClassOfService": 0,
|
1147
|
+
"version": 10,
|
1148
|
+
"packetDeltaCount": 1,
|
1149
|
+
"flowEndReason": 1,
|
1150
|
+
"protocolIdentifier": 17,
|
1151
|
+
"flowDirection": 1,
|
1152
|
+
"layer2SegmentId": 0,
|
1153
|
+
"egressInterface": 11,
|
1154
|
+
"octetDeltaCount": 229,
|
1155
|
+
"sourceTransportPort": 138,
|
1156
|
+
"flowEndMilliseconds": "2016-12-22T12:17:42.000Z",
|
1157
|
+
"maximumTTL": 128,
|
1158
|
+
"vmwareUnknown888": 2,
|
1159
|
+
"flowStartMilliseconds": "2016-12-22T12:17:42.000Z",
|
1160
|
+
"vmwareUnknown889": 0
|
1161
|
+
},
|
1162
|
+
"@timestamp": "2016-12-22T12:17:56.000Z",
|
1163
|
+
"@version": "1"
|
1164
|
+
}
|
1165
|
+
END
|
1166
|
+
|
1167
|
+
events << <<-END
|
1168
|
+
{
|
1169
|
+
"netflow": {
|
1170
|
+
"destinationIPv4Address": "224.0.0.252",
|
1171
|
+
"destinationTransportPort": 5355,
|
1172
|
+
"tcpControlBits": 0,
|
1173
|
+
"vmwareUnknown890": 1,
|
1174
|
+
"sourceIPv4Address": "172.18.65.21",
|
1175
|
+
"ingressInterface": 3,
|
1176
|
+
"ipClassOfService": 0,
|
1177
|
+
"version": 10,
|
1178
|
+
"packetDeltaCount": 2,
|
1179
|
+
"flowEndReason": 1,
|
1180
|
+
"protocolIdentifier": 17,
|
1181
|
+
"flowDirection": 1,
|
1182
|
+
"layer2SegmentId": 0,
|
1183
|
+
"egressInterface": 11,
|
1184
|
+
"octetDeltaCount": 104,
|
1185
|
+
"sourceTransportPort": 61329,
|
1186
|
+
"flowEndMilliseconds": "2016-12-22T12:25:49.000Z",
|
1187
|
+
"maximumTTL": 1,
|
1188
|
+
"vmwareUnknown888": 2,
|
1189
|
+
"flowStartMilliseconds": "2016-12-22T12:25:49.000Z",
|
1190
|
+
"vmwareUnknown889": 0
|
1191
|
+
},
|
1192
|
+
"@timestamp": "2016-12-22T12:26:04.000Z",
|
1193
|
+
"@version": "1"
|
1194
|
+
}
|
1195
|
+
END
|
1196
|
+
|
1197
|
+
events << <<-END
|
1198
|
+
{
|
1199
|
+
"netflow": {
|
1200
|
+
"destinationTransportPort": 5355,
|
1201
|
+
"tcpControlBits": 0,
|
1202
|
+
"vmwareUnknown890": 1,
|
1203
|
+
"ingressInterface": 3,
|
1204
|
+
"ipClassOfService": 0,
|
1205
|
+
"version": 10,
|
1206
|
+
"packetDeltaCount": 2,
|
1207
|
+
"flowEndReason": 1,
|
1208
|
+
"sourceIPv6Address": "fe80::5187:5cd8:d750:cdc9",
|
1209
|
+
"protocolIdentifier": 17,
|
1210
|
+
"flowDirection": 1,
|
1211
|
+
"layer2SegmentId": 0,
|
1212
|
+
"egressInterface": 11,
|
1213
|
+
"octetDeltaCount": 144,
|
1214
|
+
"destinationIPv6Address": "ff02::1:3",
|
1215
|
+
"sourceTransportPort": 61329,
|
1216
|
+
"flowEndMilliseconds": "2016-12-22T12:25:49.000Z",
|
1217
|
+
"maximumTTL": 1,
|
1218
|
+
"vmwareUnknown888": 2,
|
1219
|
+
"flowStartMilliseconds": "2016-12-22T12:25:49.000Z",
|
1220
|
+
"vmwareUnknown889": 0
|
1221
|
+
},
|
1222
|
+
"@timestamp": "2016-12-22T12:26:04.000Z",
|
1223
|
+
"@version": "1"
|
1224
|
+
}
|
1225
|
+
END
|
1226
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1227
|
+
end
|
1228
|
+
|
1229
|
+
it "should decode raw data" do
|
1230
|
+
expect(decode.size).to eq(5)
|
1231
|
+
expect(decode[4].get("[netflow][sourceIPv6Address]")).to eq("fe80::5187:5cd8:d750:cdc9")
|
1232
|
+
expect(decode[4].get("[netflow][destinationIPv6Address]")).to eq("ff02::1:3")
|
1233
|
+
expect(decode[4].get("[netflow][octetDeltaCount]")).to eq(144)
|
1234
|
+
expect(decode[4].get("[netflow][destinationTransportPort]")).to eq(5355)
|
1235
|
+
end
|
1236
|
+
|
1237
|
+
it "should serialize to json" do
|
1238
|
+
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
1239
|
+
expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[1]))
|
1240
|
+
expect(JSON.parse(decode[2].to_json)).to eq(JSON.parse(json_events[2]))
|
1241
|
+
expect(JSON.parse(decode[3].to_json)).to eq(JSON.parse(json_events[3]))
|
1242
|
+
expect(JSON.parse(decode[4].to_json)).to eq(JSON.parse(json_events[4]))
|
1243
|
+
end
|
1244
|
+
|
1245
|
+
end
|
1246
|
+
|
1065
1247
|
end
|
1066
1248
|
|
1067
1249
|
describe LogStash::Codecs::Netflow, 'missing templates, no template caching configured' do
|
@@ -1270,4 +1452,6 @@ describe LogStash::Codecs::Netflow, 'configured with include_flowset_id for ipfi
|
|
1270
1452
|
expect(decode[1].get("[netflow][flowset_id]")).to eq(257)
|
1271
1453
|
expect(decode[2].get("[netflow][flowset_id]")).to eq(258)
|
1272
1454
|
end
|
1455
|
+
|
1456
|
+
|
1273
1457
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.2.
|
4
|
+
version: 3.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-12-
|
11
|
+
date: 2016-12-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -81,6 +81,10 @@ files:
|
|
81
81
|
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
82
82
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
83
83
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
84
|
+
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|
85
|
+
- spec/codecs/ipfix_test_vmware_vds_data266.dat
|
86
|
+
- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
|
87
|
+
- spec/codecs/ipfix_test_vmware_vds_tpl.dat
|
84
88
|
- spec/codecs/netflow5.dat
|
85
89
|
- spec/codecs/netflow5_test_invalid01.dat
|
86
90
|
- spec/codecs/netflow5_test_invalid02.dat
|
@@ -134,6 +138,10 @@ test_files:
|
|
134
138
|
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
135
139
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
136
140
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
141
|
+
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|
142
|
+
- spec/codecs/ipfix_test_vmware_vds_data266.dat
|
143
|
+
- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
|
144
|
+
- spec/codecs/ipfix_test_vmware_vds_tpl.dat
|
137
145
|
- spec/codecs/netflow5.dat
|
138
146
|
- spec/codecs/netflow5_test_invalid01.dat
|
139
147
|
- spec/codecs/netflow5_test_invalid02.dat
|