logstash-codec-netflow 3.5.0 → 3.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/CONTRIBUTORS +3 -0
- data/docs/index.asciidoc +36 -41
- data/lib/logstash/codecs/netflow.rb +13 -95
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/ipfix_test_barracuda_data256.dat +0 -0
- data/spec/codecs/ipfix_test_barracuda_tpl.dat +0 -0
- data/spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat +0 -0
- data/spec/codecs/netflow9_test_fortigate_fortios_521_data257.dat +0 -0
- data/spec/codecs/netflow9_test_fortigate_fortios_521_tpl.dat +0 -0
- data/spec/codecs/netflow_spec.rb +119 -1
- metadata +13 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 936d05f955f0c16ab55b3a6998302ca2f283c2d2
|
4
|
+
data.tar.gz: f6f16b2055779fe96113d8f61d281fb27e4673cf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e1e1bcb5abd65d89dc491122bfb99bda3b4fd20a9e17cc58753779e14b4b255c43c9d3a50ede39a5e6ed51a41999131bc1c844b2ee277863318a8724d9e995be
|
7
|
+
data.tar.gz: 1358d6678af2221b0087953f0e327de3f7916dbbf2513872000a2ef261701695c69a55a17f505ffbeb74a5c4e30419cb6cfe2b539a8b1dc09adf567643877f97
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
## 3.5.1
|
2
|
+
|
3
|
+
- Added test for Fortigate FortiOS 5.2 (Netflow v9)
|
4
|
+
- Added permission check to templates cache (Issue #80)
|
5
|
+
- Clarified confusing warning about missing templates
|
6
|
+
- Added test for Barracuda firewall (IPFIX)
|
7
|
+
|
1
8
|
## 3.5.0
|
2
9
|
|
3
10
|
- Added support for Cisco WLC (Netflow v9)
|
data/CONTRIBUTORS
CHANGED
@@ -9,11 +9,14 @@ Contributors:
|
|
9
9
|
* Diyaldine Maoulida
|
10
10
|
* Evgeniy Sudyr (ejectck)
|
11
11
|
* G.J. Moed (gjmoed)
|
12
|
+
* Gmoz Shih
|
13
|
+
* Jeremy Foran (jeremyforan)
|
12
14
|
* Jordan Sissel (jordansissel)
|
13
15
|
* Jorrit Folmer (jorritfolmer)
|
14
16
|
* Keenan Tims (ktims)
|
15
17
|
* Matt Dainty (bodgit)
|
16
18
|
* Paul Warren (pwarren)
|
19
|
+
* Philipp Kahr
|
17
20
|
* Pier-Hugues Pellerin (ph)
|
18
21
|
* Pulkit Agrawal (propulkit)
|
19
22
|
* Raju Nair (rajutech76)
|
data/docs/index.asciidoc
CHANGED
@@ -12,7 +12,7 @@ START - GENERATED VARIABLES, DO NOT EDIT!
|
|
12
12
|
END - GENERATED VARIABLES, DO NOT EDIT!
|
13
13
|
///////////////////////////////////////////
|
14
14
|
|
15
|
-
[id="plugins-{type}-{plugin}"]
|
15
|
+
[id="plugins-{type}s-{plugin}"]
|
16
16
|
|
17
17
|
=== Netflow codec plugin
|
18
18
|
|
@@ -24,56 +24,46 @@ The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
|
|
24
24
|
|
25
25
|
==== Supported Netflow/IPFIX exporters
|
26
26
|
|
27
|
+
This codec supports:
|
28
|
+
|
29
|
+
* Netflow v5
|
30
|
+
* Netflow v9
|
31
|
+
* IPFIX
|
32
|
+
|
27
33
|
The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
|
28
34
|
|
29
35
|
[cols="6,^2,^2,^2,12",options="header"]
|
30
36
|
|===========================================================================================
|
31
|
-
|Netflow exporter
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|Cisco
|
36
|
-
|Cisco
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
37
|
+
|Netflow exporter | v5 | v9 | IPFIX | Remarks
|
38
|
+
|Barracuda Firewall | | | y |
|
39
|
+
|Cisco ASA | | y | |
|
40
|
+
|Cisco ASR | | y | |
|
41
|
+
|Cisco IOS 12.x | | y | |
|
42
|
+
|Cisco WLC | | y | |
|
43
|
+
|Citrix Netscaler | | | y | Still some unknown fields, labeled netscalerUnknown<id>
|
44
|
+
|fprobe | y | | |
|
45
|
+
|Fortigate FortiOS 5.2 | | y | |
|
46
|
+
|ipt_NETFLOW | y | y | y |
|
47
|
+
|Juniper MX80 | y | | | SW > 12.3R8
|
48
|
+
|Mikrotik 6.35.4 | y | | n | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
|
49
|
+
|nProbe | y | y | y |
|
50
|
+
|OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
|
51
|
+
|Softflowd | y | y | y | IPFIX supported in https://github.com/djmdjm/softflowd
|
52
|
+
|Streamcore Streamgroomer | | y | |
|
53
|
+
|Ubiquiti Edgerouter X | | y | | With MPLS labels
|
54
|
+
|VMware VDS | | | y | Still some unknown fields
|
43
55
|
|===========================================================================================
|
44
56
|
|
45
57
|
==== Usage
|
46
58
|
|
47
|
-
Example Logstash configuration:
|
59
|
+
Example Logstash configuration that will listen on 2055/udp for Netflow v5,v9 and IPFIX:
|
48
60
|
|
49
61
|
[source, ruby]
|
50
62
|
--------------------------
|
51
63
|
input {
|
52
64
|
udp {
|
53
|
-
host => localhost
|
54
65
|
port => 2055
|
55
|
-
codec => netflow
|
56
|
-
versions => [5, 9]
|
57
|
-
}
|
58
|
-
type => netflow
|
59
|
-
}
|
60
|
-
udp {
|
61
|
-
host => localhost
|
62
|
-
port => 4739
|
63
|
-
codec => netflow {
|
64
|
-
versions => [10]
|
65
|
-
target => ipfix
|
66
|
-
}
|
67
|
-
type => ipfix
|
68
|
-
}
|
69
|
-
tcp {
|
70
|
-
host => localhost
|
71
|
-
port => 4739
|
72
|
-
codec => netflow {
|
73
|
-
versions => [10]
|
74
|
-
target => ipfix
|
75
|
-
}
|
76
|
-
type => ipfix
|
66
|
+
codec => netflow
|
77
67
|
}
|
78
68
|
}
|
79
69
|
--------------------------
|
@@ -101,10 +91,15 @@ input {
|
|
101
91
|
* Value type is <<path,path>>
|
102
92
|
* There is no default value for this setting.
|
103
93
|
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
94
|
+
Enables the template cache and saves it in the specified directory. This
|
95
|
+
minimizes data loss after Logstash restarts because the codec doesn't have to
|
96
|
+
wait for the arrival of templates, but instead reload already received
|
97
|
+
templates received during previous runs.
|
98
|
+
|
99
|
+
Template caches are saved as:
|
100
|
+
|
101
|
+
* <<path,path>>/netflow_templates.cache for Netflow v9 templates.
|
102
|
+
* <<path,path>>/ipfix_templates.cache for IPFIX templates.
|
108
103
|
|
109
104
|
[id="plugins-{type}s-{plugin}-cache_ttl"]
|
110
105
|
===== `cache_ttl`
|
@@ -5,63 +5,7 @@ require "logstash/timestamp"
|
|
5
5
|
#require "logstash/json"
|
6
6
|
require "json"
|
7
7
|
|
8
|
-
#
|
9
|
-
#
|
10
|
-
# ==== Supported Netflow/IPFIX exporters
|
11
|
-
#
|
12
|
-
# The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
|
13
|
-
#
|
14
|
-
# [cols="6,^2,^2,^2,12",options="header"]
|
15
|
-
# |===========================================================================================
|
16
|
-
# |Netflow exporter | v5 | v9 | IPFIX | Remarks
|
17
|
-
# |Softflowd | y | y | y | IPFIX supported in https://github.com/djmdjm/softflowd
|
18
|
-
# |nProbe | y | y | y |
|
19
|
-
# |ipt_NETFLOW | y | y | y |
|
20
|
-
# |Cisco ASA | | y | |
|
21
|
-
# |Cisco IOS 12.x | | y | |
|
22
|
-
# |fprobe | y | | |
|
23
|
-
# |Juniper MX80 | y | | | SW > 12.3R8
|
24
|
-
# |OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
|
25
|
-
# |Mikrotik 6.35.4 | y | | n | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
|
26
|
-
# |Ubiquiti Edgerouter X | | y | | With MPLS labels
|
27
|
-
# |Citrix Netscaler | | | y | Still some unknown fields, labeled netscalerUnknown<id>
|
28
|
-
# |===========================================================================================
|
29
|
-
#
|
30
|
-
# ==== Usage
|
31
|
-
#
|
32
|
-
# Example Logstash configuration:
|
33
|
-
#
|
34
|
-
# [source, ruby]
|
35
|
-
# --------------------------
|
36
|
-
# input {
|
37
|
-
# udp {
|
38
|
-
# host => localhost
|
39
|
-
# port => 2055
|
40
|
-
# codec => netflow {
|
41
|
-
# versions => [5, 9]
|
42
|
-
# }
|
43
|
-
# type => netflow
|
44
|
-
# }
|
45
|
-
# udp {
|
46
|
-
# host => localhost
|
47
|
-
# port => 4739
|
48
|
-
# codec => netflow {
|
49
|
-
# versions => [10]
|
50
|
-
# target => ipfix
|
51
|
-
# }
|
52
|
-
# type => ipfix
|
53
|
-
# }
|
54
|
-
# tcp {
|
55
|
-
# host => localhost
|
56
|
-
# port => 4739
|
57
|
-
# codec => netflow {
|
58
|
-
# versions => [10]
|
59
|
-
# target => ipfix
|
60
|
-
# }
|
61
|
-
# type => ipfix
|
62
|
-
# }
|
63
|
-
# }
|
64
|
-
# --------------------------
|
8
|
+
# Documentation moved to docs/
|
65
9
|
|
66
10
|
class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
67
11
|
config_name "netflow"
|
@@ -87,42 +31,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
87
31
|
config :versions, :validate => :array, :default => [5, 9, 10]
|
88
32
|
|
89
33
|
# Override YAML file containing Netflow field definitions
|
90
|
-
#
|
91
|
-
# Each Netflow field is defined like so:
|
92
|
-
#
|
93
|
-
# [source,yaml]
|
94
|
-
# --------------------------
|
95
|
-
# id:
|
96
|
-
# - default length in bytes
|
97
|
-
# - :name
|
98
|
-
# id:
|
99
|
-
# - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
|
100
|
-
# - :name
|
101
|
-
# id:
|
102
|
-
# - :skip
|
103
|
-
# --------------------------
|
104
|
-
#
|
105
|
-
# See <https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml> for the base set.
|
106
34
|
config :netflow_definitions, :validate => :path
|
107
35
|
|
108
36
|
# Override YAML file containing IPFIX field definitions
|
109
|
-
#
|
110
|
-
# Very similar to the Netflow version except there is a top level Private
|
111
|
-
# Enterprise Number (PEN) key added:
|
112
|
-
#
|
113
|
-
# [source,yaml]
|
114
|
-
# --------------------------
|
115
|
-
# pen:
|
116
|
-
# id:
|
117
|
-
# - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
|
118
|
-
# - :name
|
119
|
-
# id:
|
120
|
-
# - :skip
|
121
|
-
# --------------------------
|
122
|
-
#
|
123
|
-
# There is an implicit PEN 0 for the standard fields.
|
124
|
-
#
|
125
|
-
# See <https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml> for the base set.
|
126
37
|
config :ipfix_definitions, :validate => :path
|
127
38
|
|
128
39
|
NETFLOW5_FIELDS = ['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records']
|
@@ -158,19 +69,25 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
158
69
|
|
159
70
|
if @cache_save_path
|
160
71
|
if @versions.include?(9)
|
161
|
-
|
72
|
+
cache_save_file_netflow = "#{@cache_save_path}/netflow_templates.cache"
|
73
|
+
if File.exists?(cache_save_file_netflow)
|
74
|
+
raise "#{self.class.name}: Template cache file #{cache_save_file_netflow} not writable" unless File.writable?(cache_save_file_netflow)
|
162
75
|
@netflow_templates_cache = load_templates_cache("#{@cache_save_path}/netflow_templates.cache")
|
163
76
|
@netflow_templates_cache.each{ |key, fields| @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
|
164
77
|
else
|
78
|
+
raise "#{self.class.name}: Template cache directory #{cache_save_path} not writable" unless File.writable?(cache_save_path)
|
165
79
|
@netflow_templates_cache = {}
|
166
80
|
end
|
167
81
|
end
|
168
82
|
|
169
83
|
if @versions.include?(10)
|
170
|
-
|
84
|
+
cache_save_file_ipfix = "#{@cache_save_path}/ipfix_templates.cache"
|
85
|
+
if File.exists?(cache_save_file_ipfix)
|
86
|
+
raise "#{self.class.name}: Template cache file #{cache_save_file_ipfix} not writable" unless File.writable?(cache_save_file_ipfix)
|
171
87
|
@ipfix_templates_cache = load_templates_cache("#{@cache_save_path}/ipfix_templates.cache")
|
172
88
|
@ipfix_templates_cache.each{ |key, fields| @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
|
173
89
|
else
|
90
|
+
raise "#{self.class.name}: Template cache directory #{cache_save_path} not writable" unless File.writable?(cache_save_path)
|
174
91
|
@ipfix_templates_cache = {}
|
175
92
|
end
|
176
93
|
end
|
@@ -321,8 +238,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
321
238
|
template = @netflow_templates[key]
|
322
239
|
|
323
240
|
unless template
|
324
|
-
|
325
|
-
@logger.warn("No matching template for flow id #{record.flowset_id}")
|
241
|
+
@logger.warn("Can't (yet) decode flowset id #{record.flowset_id} from source id #{flowset.source_id}, because no template to decode it with has been received. This message will usually go away after 1 minute.")
|
326
242
|
return events
|
327
243
|
end
|
328
244
|
|
@@ -414,7 +330,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
414
330
|
template = @ipfix_templates[key]
|
415
331
|
|
416
332
|
unless template
|
417
|
-
@logger.warn("
|
333
|
+
@logger.warn("Can't (yet) decode flowset id #{record.flowset_id} from observation domain id #{flowset.observation_domain_id}, because no template to decode it with has been received. This message will usually go away after 1 minute.")
|
418
334
|
return events
|
419
335
|
end
|
420
336
|
|
@@ -491,6 +407,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
491
407
|
def load_templates_cache(file_path)
|
492
408
|
templates_cache = {}
|
493
409
|
begin
|
410
|
+
@logger.debug? and @logger.debug("Loading templates from template cache #{file_path}")
|
494
411
|
templates_cache = JSON.parse(File.read(file_path))
|
495
412
|
rescue Exception => e
|
496
413
|
raise "#{self.class.name}: templates cache file corrupt (#{file_path})"
|
@@ -501,6 +418,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
501
418
|
|
502
419
|
def save_templates_cache(templates_cache, file_path)
|
503
420
|
begin
|
421
|
+
@logger.debug? and @logger.debug("Writing templates to template cache #{file_path}")
|
504
422
|
File.open(file_path, 'w') {|file| file.write templates_cache.to_json }
|
505
423
|
rescue Exception => e
|
506
424
|
raise "#{self.class.name}: saving templates cache file failed (#{file_path}) with error #{e}"
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '3.5.
|
4
|
+
s.version = '3.5.1'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -966,6 +966,76 @@ describe LogStash::Codecs::Netflow do
|
|
966
966
|
|
967
967
|
end
|
968
968
|
|
969
|
+
context "Netflow 9 Fortigate FortiOS 5.2.1" do
|
970
|
+
let(:data) do
|
971
|
+
packets = []
|
972
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_fortigate_fortios_521_tpl.dat"), :mode => "rb")
|
973
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_fortigate_fortios_521_data256.dat"), :mode => "rb")
|
974
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_fortigate_fortios_521_data257.dat"), :mode => "rb")
|
975
|
+
end
|
976
|
+
|
977
|
+
let(:json_events) do
|
978
|
+
events = []
|
979
|
+
events << <<-END
|
980
|
+
{
|
981
|
+
"netflow": {
|
982
|
+
"flow_seq_num": 13641,
|
983
|
+
"scope_system": 1,
|
984
|
+
"total_bytes_exp": 6871319015,
|
985
|
+
"total_flows_exp": 107864,
|
986
|
+
"flow_active_timeout": 1800,
|
987
|
+
"flow_inactive_timeout": 15,
|
988
|
+
"flowset_id": 256,
|
989
|
+
"total_pkts_exp": 11920854,
|
990
|
+
"version": 9,
|
991
|
+
"sampling_algorithm": 1,
|
992
|
+
"sampling_interval": 1
|
993
|
+
},
|
994
|
+
"@timestamp": "2017-07-18T05:42:14.000Z",
|
995
|
+
"@version": "1"
|
996
|
+
}
|
997
|
+
END
|
998
|
+
|
999
|
+
events << <<-END
|
1000
|
+
{
|
1001
|
+
"netflow": {
|
1002
|
+
"output_snmp": 3,
|
1003
|
+
"in_pkts": 3,
|
1004
|
+
"ipv4_dst_addr": "31.13.87.36",
|
1005
|
+
"first_switched": "2017-07-25T04:44:29.999Z",
|
1006
|
+
"flowset_id": 257,
|
1007
|
+
"l4_src_port": 61910,
|
1008
|
+
"version": 9,
|
1009
|
+
"flow_seq_num": 13635,
|
1010
|
+
"ipv4_src_addr": "192.168.99.7",
|
1011
|
+
"in_bytes": 152,
|
1012
|
+
"protocol": 6,
|
1013
|
+
"last_switched": "2017-07-25T04:44:38.999Z",
|
1014
|
+
"input_snmp": 9,
|
1015
|
+
"out_pkts": 0,
|
1016
|
+
"out_bytes": 0,
|
1017
|
+
"l4_dst_port": 443
|
1018
|
+
},
|
1019
|
+
"@timestamp": "2017-07-18T05:41:59.000Z",
|
1020
|
+
"@version": "1"
|
1021
|
+
}
|
1022
|
+
END
|
1023
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1024
|
+
end
|
1025
|
+
|
1026
|
+
it "should decode raw data" do
|
1027
|
+
expect(decode.size).to eq(2)
|
1028
|
+
expect(decode[0].get("[netflow][total_bytes_exp]")).to eq(6871319015)
|
1029
|
+
expect(decode[1].get("[netflow][ipv4_src_addr]")).to eq("192.168.99.7")
|
1030
|
+
end
|
1031
|
+
|
1032
|
+
it "should serialize to json" do
|
1033
|
+
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
1034
|
+
expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[1]))
|
1035
|
+
end
|
1036
|
+
|
1037
|
+
end
|
1038
|
+
|
969
1039
|
context "Netflow 9 Streamcore" do
|
970
1040
|
let(:data) do
|
971
1041
|
packets = []
|
@@ -1741,6 +1811,54 @@ describe LogStash::Codecs::Netflow do
|
|
1741
1811
|
end
|
1742
1812
|
end
|
1743
1813
|
|
1814
|
+
context "IPFIX Barracuda firewall" do
|
1815
|
+
let(:data) do
|
1816
|
+
packets = []
|
1817
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_barracuda_tpl.dat"), :mode => "rb")
|
1818
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_barracuda_data256.dat"), :mode => "rb")
|
1819
|
+
end
|
1820
|
+
|
1821
|
+
let(:json_events) do
|
1822
|
+
events = []
|
1823
|
+
events << <<-END
|
1824
|
+
{
|
1825
|
+
"netflow": {
|
1826
|
+
"destinationIPv4Address": "10.99.168.140",
|
1827
|
+
"octetTotalCount": 113,
|
1828
|
+
"destinationTransportPort": 50294,
|
1829
|
+
"flowStartSysUpTime": 2395374954,
|
1830
|
+
"sourceIPv4Address": "10.98.243.20",
|
1831
|
+
"flowEndSysUpTime": 2395395322,
|
1832
|
+
"flowDurationMilliseconds": 20368,
|
1833
|
+
"ingressInterface": 41874,
|
1834
|
+
"version": 10,
|
1835
|
+
"packetDeltaCount": 1,
|
1836
|
+
"firewallEvent": 2,
|
1837
|
+
"protocolIdentifier": 17,
|
1838
|
+
"sourceMacAddress": "00:00:00:00:00:00",
|
1839
|
+
"egressInterface": 48660,
|
1840
|
+
"octetDeltaCount": 113,
|
1841
|
+
"sourceTransportPort": 53,
|
1842
|
+
"packetTotalCount": 1
|
1843
|
+
},
|
1844
|
+
"@timestamp": "2017-06-29T13:58:28.000Z",
|
1845
|
+
"@version": "1"
|
1846
|
+
}
|
1847
|
+
END
|
1848
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1849
|
+
end
|
1850
|
+
|
1851
|
+
it "should decode raw data" do
|
1852
|
+
expect(decode.size).to eq(8)
|
1853
|
+
expect(decode[7].get("[netflow][firewallEvent]")).to eq(2)
|
1854
|
+
end
|
1855
|
+
|
1856
|
+
it "should serialize to json" do
|
1857
|
+
expect(JSON.parse(decode[7].to_json)).to eq(JSON.parse(json_events[0]))
|
1858
|
+
end
|
1859
|
+
end
|
1860
|
+
|
1861
|
+
|
1744
1862
|
|
1745
1863
|
|
1746
1864
|
end
|
@@ -1779,7 +1897,7 @@ describe LogStash::Codecs::Netflow, 'missing templates, no template caching conf
|
|
1779
1897
|
end
|
1780
1898
|
|
1781
1899
|
it "should report missing templates" do
|
1782
|
-
expect(logger).to receive(:warn).with(/
|
1900
|
+
expect(logger).to receive(:warn).with(/Can't \(yet\) decode flowset id/)
|
1783
1901
|
decode[0]
|
1784
1902
|
end
|
1785
1903
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.5.
|
4
|
+
version: 3.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-07-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logstash-core-plugin-api
|
@@ -116,10 +116,15 @@ files:
|
|
116
116
|
- spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
|
117
117
|
- spec/codecs/netflow9_test_cisco_wlc_tpl.dat
|
118
118
|
- spec/codecs/netflow9_test_cisco_wlc_data261.dat
|
119
|
+
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
120
|
+
- spec/codecs/ipfix_test_barracuda_data256.dat
|
121
|
+
- spec/codecs/netflow9_test_fortigate_fortios_521_data257.dat
|
119
122
|
- spec/codecs/netflow_spec.rb
|
123
|
+
- spec/codecs/netflow9_test_fortigate_fortios_521_tpl.dat
|
124
|
+
- spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat
|
120
125
|
- logstash-codec-netflow.gemspec
|
121
|
-
- CHANGELOG.md
|
122
126
|
- README.md
|
127
|
+
- CHANGELOG.md
|
123
128
|
- CONTRIBUTORS
|
124
129
|
- Gemfile
|
125
130
|
- LICENSE
|
@@ -197,4 +202,9 @@ test_files:
|
|
197
202
|
- spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
|
198
203
|
- spec/codecs/netflow9_test_cisco_wlc_tpl.dat
|
199
204
|
- spec/codecs/netflow9_test_cisco_wlc_data261.dat
|
205
|
+
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
206
|
+
- spec/codecs/ipfix_test_barracuda_data256.dat
|
207
|
+
- spec/codecs/netflow9_test_fortigate_fortios_521_data257.dat
|
200
208
|
- spec/codecs/netflow_spec.rb
|
209
|
+
- spec/codecs/netflow9_test_fortigate_fortios_521_tpl.dat
|
210
|
+
- spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat
|