logstash-codec-netflow 4.0.0 → 4.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/logstash/codecs/netflow.rb +4 -0
- data/lib/logstash/codecs/netflow/util.rb +2 -1
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_data512.dat +0 -0
- data/spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat +0 -0
- data/spec/codecs/netflow_spec.rb +45 -0
- metadata +6 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 02d79c8d4e3e6e62b887d17e9161f30bdce7b397
|
4
|
+
data.tar.gz: ea75c8b08e31ab585ef4c47f06aefff54e23c75f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dc7647f8b95859bccc245a83d991f7d757b5a34a86e6c8b2c4d407d61994fafd322da4628a2a6108d283e226cfc9b1f5ff38626952177af255dc34717b52de8d
|
7
|
+
data.tar.gz: 9a2627caa77a373b0a5223df7e6c2bd1a1f19340a515f4488f5129f409484ed39360a219561b8a1afec36e13bc0f87a47013190ab92995caf5dd30d7f2d76761
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
## 4.0.1
|
2
|
+
|
3
|
+
- Fixed IPFIX options template parsing for Juniper MX240 JunOS 15.1
|
4
|
+
|
1
5
|
## 4.0.0
|
2
6
|
|
3
7
|
- Added support for RFC6759 decoding of application_id. **This is a breaking change to the way application_id is decoded. The format changes from e.g. 0:40567 to 0..12356..40567**
|
@@ -102,6 +102,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
102
102
|
end # def register
|
103
103
|
|
104
104
|
def decode(payload, metadata = nil, &block)
|
105
|
+
# BinData::trace_reading do
|
105
106
|
header = Header.read(payload)
|
106
107
|
|
107
108
|
unless @versions.include?(header.version)
|
@@ -126,13 +127,16 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
126
127
|
# end
|
127
128
|
end
|
128
129
|
elsif header.version == 10
|
130
|
+
# BinData::trace_reading do
|
129
131
|
flowset = IpfixPDU.read(payload)
|
130
132
|
flowset.records.each do |record|
|
131
133
|
decode_ipfix(flowset, record).each { |event| yield(event) }
|
132
134
|
end
|
135
|
+
# end
|
133
136
|
else
|
134
137
|
@logger.warn("Unsupported Netflow version v#{header.version}")
|
135
138
|
end
|
139
|
+
# end
|
136
140
|
rescue BinData::ValidityError, IOError => e
|
137
141
|
@logger.warn("Invalid netflow packet received (#{e})")
|
138
142
|
end
|
@@ -443,7 +443,7 @@ end
|
|
443
443
|
|
444
444
|
class IpfixOptionFlowset < BinData::Record
|
445
445
|
endian :big
|
446
|
-
array :templates, :read_until => lambda { flowset_length - 4
|
446
|
+
array :templates, :read_until => lambda { flowset_length - 4 } do
|
447
447
|
uint16 :template_id
|
448
448
|
uint16 :field_count
|
449
449
|
uint16 :scope_count, :assert => lambda { scope_count > 0 }
|
@@ -459,6 +459,7 @@ class IpfixOptionFlowset < BinData::Record
|
|
459
459
|
uint16 :field_length
|
460
460
|
uint32 :enterprise_id, :onlyif => lambda { enterprise != 0 }
|
461
461
|
end
|
462
|
+
string :padding, :read_length => lambda { flowset_length - 4 - 2 - 2 - 2 - scope_fields.num_bytes - option_fields.num_bytes }
|
462
463
|
end
|
463
464
|
end
|
464
465
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '4.0.
|
4
|
+
s.version = '4.0.1'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Reads Netflow v5, Netflow v9 and IPFIX data"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
Binary file
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -1161,6 +1161,51 @@ describe LogStash::Codecs::Netflow do
|
|
1161
1161
|
|
1162
1162
|
end
|
1163
1163
|
|
1164
|
+
context "IPFIX options template from Juniper MX240 JunOS 15.1 R6 S3" do
|
1165
|
+
let(:data) do
|
1166
|
+
packets = []
|
1167
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat"), :mode => "rb")
|
1168
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_juniper_mx240_junos151r6s3_data512.dat"), :mode => "rb")
|
1169
|
+
end
|
1170
|
+
|
1171
|
+
let(:json_events) do
|
1172
|
+
events = []
|
1173
|
+
events << <<-END
|
1174
|
+
{
|
1175
|
+
"@timestamp": "2018-06-01T15:11:53.000Z",
|
1176
|
+
"@version": "1",
|
1177
|
+
"netflow": {
|
1178
|
+
"exportProtocolVersion": 10,
|
1179
|
+
"exportingProcessId": 2,
|
1180
|
+
"flowActiveTimeout": 60,
|
1181
|
+
"exportTransportProtocol": 17,
|
1182
|
+
"flowIdleTimeout": 60,
|
1183
|
+
"exportedFlowRecordTotalCount": 76,
|
1184
|
+
"exportedMessageTotalCount": 76,
|
1185
|
+
"samplingInterval": 1000,
|
1186
|
+
"exporterIPv6Address": "::",
|
1187
|
+
"systemInitTimeMilliseconds": 1262761598000,
|
1188
|
+
"version": 10,
|
1189
|
+
"exporterIPv4Address": "10.0.0.1"
|
1190
|
+
}
|
1191
|
+
}
|
1192
|
+
END
|
1193
|
+
|
1194
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1195
|
+
end
|
1196
|
+
|
1197
|
+
it "should decode raw data" do
|
1198
|
+
expect(decode.size).to eq(1)
|
1199
|
+
expect(decode[0].get("[netflow][exporterIPv4Address]")).to eq("10.0.0.1")
|
1200
|
+
end
|
1201
|
+
|
1202
|
+
it "should serialize to json" do
|
1203
|
+
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
1204
|
+
end
|
1205
|
+
|
1206
|
+
end
|
1207
|
+
|
1208
|
+
|
1164
1209
|
context "IPFIX Nokia BRAS" do
|
1165
1210
|
let(:data) do
|
1166
1211
|
packets = []
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0.
|
4
|
+
version: 4.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-06-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -85,6 +85,8 @@ files:
|
|
85
85
|
- spec/codecs/ipfix_test_barracuda_extended_uniflow_data256.dat
|
86
86
|
- spec/codecs/ipfix_test_barracuda_extended_uniflow_tpl256.dat
|
87
87
|
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
88
|
+
- spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_data512.dat
|
89
|
+
- spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat
|
88
90
|
- spec/codecs/ipfix_test_mikrotik_data258.dat
|
89
91
|
- spec/codecs/ipfix_test_mikrotik_data259.dat
|
90
92
|
- spec/codecs/ipfix_test_mikrotik_tpl.dat
|
@@ -203,6 +205,8 @@ test_files:
|
|
203
205
|
- spec/codecs/ipfix_test_barracuda_extended_uniflow_data256.dat
|
204
206
|
- spec/codecs/ipfix_test_barracuda_extended_uniflow_tpl256.dat
|
205
207
|
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
208
|
+
- spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_data512.dat
|
209
|
+
- spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat
|
206
210
|
- spec/codecs/ipfix_test_mikrotik_data258.dat
|
207
211
|
- spec/codecs/ipfix_test_mikrotik_data259.dat
|
208
212
|
- spec/codecs/ipfix_test_mikrotik_tpl.dat
|