logstash-codec-netflow 4.0.2 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c084b2195cdbabfc99579731def8db53f698c55f
-  data.tar.gz: 29cc163ea5580dfd7b1ee509284d0bbb7dd50892
+  metadata.gz: 07fee1cda04c3df1a3d1d2cb41fe75d6d4e10846
+  data.tar.gz: 2dffcb11a2b8655606f14ffdd1994fb743f9e6de
 SHA512:
-  metadata.gz: 3d667327d46d640196d68ed90664f1af9eb257e0a0768f9f7bb548483a7de3fa29561db84cd6e09a5e5be26e1dd11c7d9a42d18df82348c40ba883e17283ce64
-  data.tar.gz: 87d7ff7dc82dae754633f58849c4a08beae62722cdb24b2eba6fe5d3fc94c19f3ddb1e6ffbcd046b6044560be74e7784aa434b20331ab8a26c7f9c2765b9657d
+  metadata.gz: f8aa23631113354571dd439f42fa626199a965c4b87d92a98dd7cb2c0e82c7bc86ea379bd5eaab1c1f4adecb6df53dcd2aa3c951d8499abd6b418354acbf0791
+  data.tar.gz: 7b2dcdd89fd40653fc543c12f0b40bf6119b3a219cbb650f879a0dcda8abac5096b6d3f24192e2b2ceb9836b7b6056562eae4a02e10becd5b3d5f320e5d78bc2

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 4.1.0
+
+  - Added support for Netflow v9 devices with VarString fields (H3C Netstream)
+
 ## 4.0.2
 
   - Fixed incorrect parsing of zero-filled Netflow 9 packets from Palo Alto

data/lib/logstash/codecs/netflow.rb

@@ -545,7 +545,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
         when :skip
           field += [nil, {:length => length.to_i}]
         when :string
-          field += [{:length => length.to_i, :trim_padding => true}]
+          field = string_field(field, type, length.to_i)
         end
 
         @logger.debug? and @logger.debug("Field definition complete for template #{template_id}", :field => field)

data/logstash-codec-netflow.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-netflow'
-  s.version         = '4.0.2'
+  s.version         = '4.1.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads Netflow v5, Netflow v9 and IPFIX data"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/spec/codecs/netflow_spec.rb

@@ -1156,6 +1156,71 @@ describe LogStash::Codecs::Netflow do
 
   end
 
+  context "Netflow 9 H3C Netstream with varstring" do
+    let(:data) do
+      packets = []
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_h3c_netstream_varstring_tpl3281.dat"), :mode => "rb")
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_h3c_netstream_varstring_data3281.dat"), :mode => "rb")
+    end
+
+    let(:json_events) do
+      events = []
+      events << <<-END
+      {
+        "@version": "1",
+        "@timestamp": "2018-07-18T01:35:35.000Z",
+        "netflow": {
+          "in_pkts": 9,
+          "last_switched": "2018-07-18T01:35:03.999Z",
+          "direction": 0,
+          "first_switched": "2018-07-18T01:34:34.999Z",
+          "ipv4_dst_addr": "20.20.255.255",
+          "src_tos": 0,
+          "ipv4_src_addr": "20.20.20.20",
+          "output_snmp": 0,
+          "protocol": 17,
+          "l4_src_port": 137,
+          "ipv4_next_hop": "0.0.0.0",
+          "flowset_id": 3281,
+          "l4_dst_port": 137,
+          "input_snmp": 17,
+          "ip_protocol_version": 4,
+          "version": 9,
+          "sampling_algorithm": 0,
+          "forwarding_status": {
+            "status": 0,
+            "reason": 0
+          },
+          "tcp_flags": 0,
+          "sampling_interval": 0,
+          "flow_seq_num": 133,
+          "dst_traffic_index": 4294967295,
+          "src_mask": 32,
+          "src_as": 0,
+          "dst_as": 0,
+          "dst_mask": 32,
+          "VRFname": "",
+          "in_bytes": 702,
+          "src_traffic_index": 0
+        }
+      }
+      END
+      events.map{|event| event.gsub(/\s+/, "")}
+    end
+
+    it "should decode raw data" do
+      expect(decode.size).to eq(1)
+      expect(decode[0].get("[netflow][VRFname]")).to eq("")
+      expect(decode[0].get("[netflow][l4_src_port]")).to eq(137)
+    end
+
+    it "should serialize to json" do
+      expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
+    end
+
+  end
+
+
   context "Netflow 9 Fortigate FortiOS 54x appid" do
     let(:data) do
       packets = []

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-netflow
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 4.1.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-06-24 00:00:00.000000000 Z
+date: 2018-07-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -143,6 +143,8 @@ files:
 - spec/codecs/netflow9_test_fortigate_fortios_542_appid_data258_262.dat
 - spec/codecs/netflow9_test_fortigate_fortios_542_appid_tpl258-269.dat
 - spec/codecs/netflow9_test_h3c_data3281.dat
+- spec/codecs/netflow9_test_h3c_netstream_varstring_data3281.dat
+- spec/codecs/netflow9_test_h3c_netstream_varstring_tpl3281.dat
 - spec/codecs/netflow9_test_h3c_tpl3281.dat
 - spec/codecs/netflow9_test_huawei_netstream_data.dat
 - spec/codecs/netflow9_test_huawei_netstream_tpl.dat
@@ -265,6 +267,8 @@ test_files:
 - spec/codecs/netflow9_test_fortigate_fortios_542_appid_data258_262.dat
 - spec/codecs/netflow9_test_fortigate_fortios_542_appid_tpl258-269.dat
 - spec/codecs/netflow9_test_h3c_data3281.dat
+- spec/codecs/netflow9_test_h3c_netstream_varstring_data3281.dat
+- spec/codecs/netflow9_test_h3c_netstream_varstring_tpl3281.dat
 - spec/codecs/netflow9_test_h3c_tpl3281.dat
 - spec/codecs/netflow9_test_huawei_netstream_data.dat
 - spec/codecs/netflow9_test_huawei_netstream_tpl.dat