logstash-codec-netflow 3.11.4 → 3.12.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/CONTRIBUTORS +1 -0
- data/RFC_COMPLIANCE_IPFIX.md +5 -4
- data/docs/index.asciidoc +1 -0
- data/lib/logstash/codecs/netflow/ipfix.yaml +139 -0
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/ipfix_test_procera_data52935.dat +0 -0
- data/spec/codecs/ipfix_test_procera_tpl52935.dat +0 -0
- data/spec/codecs/netflow_spec.rb +58 -0
- metadata +6 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 23d7c5f0b11a7d4e1f1ec188639527e182eb0361
|
4
|
+
data.tar.gz: 40ff5c0a2e481c785649b7cac4df8f94f7bf2aff
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c07ea4ed3c53ff4147ac122cd065c002ce6e4361817de65122b129a6eee159754322e93b4b4f3bd109435a049d59221a58757f225c621cfebe1db5744b101d90
|
7
|
+
data.tar.gz: f2ea2d25ef1f77e7ad3e29ae4f343630124ec209f5adb7e1cdc676f6a6583fea172ccfc3157611915a8e3f4d85c2edc2ac14e96bba5180e09420a6bd88683a39
|
data/CHANGELOG.md
CHANGED
data/CONTRIBUTORS
CHANGED
data/RFC_COMPLIANCE_IPFIX.md
CHANGED
@@ -4,7 +4,7 @@ The level of RFC compliance reached for collector-relevant requirements:
|
|
4
4
|
|
5
5
|
| RFC | Level |
|
6
6
|
|-----------|----------------------------------------------|
|
7
|
-
| RFC 7011 |
|
7
|
+
| RFC 7011 | 42% of RFC "MUST" requirements implemented |
|
8
8
|
| RFC 7011 | 19% of RFC "SHOULD" requirements implemented |
|
9
9
|
| RFC 7012 | 83% of IE data types supported
|
10
10
|
| RFC 7012 | 90% of IEs supported
|
@@ -20,9 +20,9 @@ Summary of collector-relevant requirements implemented versus the total collecto
|
|
20
20
|
| 3. IPFIX message format | 2/2 | 0/2 | |
|
21
21
|
| 4. Specific reporting requirements | 0/1 | | |
|
22
22
|
| 5. Timing considerations | | 0/2 | |
|
23
|
-
| 6. Linkage with the Information Model | | 0/1 |
|
23
|
+
| 6. Linkage with the Information Model | | 0/1 | 0/1 |
|
24
24
|
| 7. Variable Length IE | | | |
|
25
|
-
| 8. Template management |
|
25
|
+
| 8. Template management | 3/9 | 1/5 | 1/2 |
|
26
26
|
| 9. The collecting process's side | 4/5 | 1/3 | 0/4 |
|
27
27
|
| 10. Transport protocol | 5/8 | 1/3 | 3/3 |
|
28
28
|
| 11. Security considerations | 0/8 | 1/5 | 2/3 |
|
@@ -102,6 +102,7 @@ The tables below detail the collector-relevant requirements, and whether or not
|
|
102
102
|
| Requirement |MUST |SHOULD| MAY|
|
103
103
|
|---------------------------------------|-----|-----|-----|
|
104
104
|
| 6.1.6 Collecting Processes SHOULD detect and ignore IPFIX Messages containing ill-formed UTF-8 string values for Information Elements | | NO | |
|
105
|
+
| 6.2. Reduced-size encoding of signed, unsigned, or float data types | | | NO |
|
105
106
|
|
106
107
|
### 8. Template Management
|
107
108
|
|
@@ -110,7 +111,7 @@ The tables below detail the collector-relevant requirements, and whether or not
|
|
110
111
|
|8. The Collecting Process MUST store all received Template Record information for the duration of each Transport Session until reuse or withdrawal as described in Section 8.1, or expiry over UDP as described in Section 8.4, so that it can interpret the corresponding Data Records.| YES | | |
|
111
112
|
|8. The Collecting Process MUST NOT assume that the Template IDs from a given Exporting Process refer to the same Templates as they did in previous Transport Sessions from the same Exporting Process| NO | | |
|
112
113
|
|8. Collecting Process MUST NOT use Templates from one Transport Session to decode Data Sets in a subsequent Transport Session.| NO | | |
|
113
|
-
|8. Collecting Processes MUST properly handle Templates with multiple identical Information Elements.|
|
114
|
+
|8. Collecting Processes MUST properly handle Templates with multiple identical Information Elements.| NO | | |
|
114
115
|
|8. a Collecting Process MUST NOT assume that the Data Set and the associated Template Set (or Options Template Set) are exported in the same IPFIX Message| YES | | |
|
115
116
|
|8. Though a Collecting Process normally receives Template Records from the Exporting Process before receiving Data Records, this is not always the case, e.g., in the case of reordering or Collecting Process restart over UDP. In these cases, the Collecting Process MAY buffer Data Records for which it has no Templates, to wait for Template Records describing them; however, note that in the presence of Template withdrawal and redefinition (Section 8.1) this may lead to incorrect interpretation of Data Records.| | | NO |
|
116
117
|
| 8.Different Observation Domains within a Transport Session MAY use the same Template ID value to refer to different Templates; Collecting Processes MUST properly handle this case.| NO | | |
|
data/docs/index.asciidoc
CHANGED
@@ -52,6 +52,7 @@ The following Netflow/IPFIX exporters are known to work with the most recent ver
|
|
52
52
|
|nProbe | y | y | y | L7 DPI fields now also supported
|
53
53
|
|Nokia BRAS | | | y |
|
54
54
|
|OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
|
55
|
+
|Sandvine Procera PacketLogic| | | y | v15.1
|
55
56
|
|Softflowd | y | y | y | IPFIX supported in https://github.com/djmdjm/softflowd
|
56
57
|
|Streamcore Streamgroomer | | y | |
|
57
58
|
|Palo Alto PAN-OS | | y | |
|
@@ -3632,3 +3632,142 @@
|
|
3632
3632
|
4321:
|
3633
3633
|
- :uint64
|
3634
3634
|
- :viptelaVPNId
|
3635
|
+
# List below taken from Procera PacketLogic product guide 15.1 - Not publicly available AFAIK
|
3636
|
+
# Further updates / additional fields may be present with versions 16/17+
|
3637
|
+
15397:
|
3638
|
+
1:
|
3639
|
+
- :string
|
3640
|
+
- :proceraService
|
3641
|
+
2:
|
3642
|
+
- :string
|
3643
|
+
- :proceraBaseService
|
3644
|
+
3:
|
3645
|
+
- :uint64
|
3646
|
+
- :proceraIncomingOctets
|
3647
|
+
4:
|
3648
|
+
- :uint64
|
3649
|
+
- :proceraOutgoingOctets
|
3650
|
+
5:
|
3651
|
+
- :uint64
|
3652
|
+
- :proceraIncomingPackets
|
3653
|
+
6:
|
3654
|
+
- :uint64
|
3655
|
+
- :proceraOutgoingPackets
|
3656
|
+
7:
|
3657
|
+
- :uint16
|
3658
|
+
- :proceraIncomingShapingLatency
|
3659
|
+
8:
|
3660
|
+
- :uint16
|
3661
|
+
- :proceraOutgoingShapingLatency
|
3662
|
+
9:
|
3663
|
+
- :uint32
|
3664
|
+
- :proceraIncomingShapingDrops
|
3665
|
+
10:
|
3666
|
+
- :uint32
|
3667
|
+
- :proceraOutgoingShapingDrops
|
3668
|
+
11:
|
3669
|
+
- :int32
|
3670
|
+
- :proceraInternalRtt
|
3671
|
+
12:
|
3672
|
+
- :int32
|
3673
|
+
- :proceraExternalRtt
|
3674
|
+
15:
|
3675
|
+
- :string
|
3676
|
+
- :proceraFlowBehavior
|
3677
|
+
16:
|
3678
|
+
- :string
|
3679
|
+
- :proceraContentCategories
|
3680
|
+
17:
|
3681
|
+
- :string
|
3682
|
+
- :proceraProperty
|
3683
|
+
18:
|
3684
|
+
- :string
|
3685
|
+
- :proceraServerHostname
|
3686
|
+
19:
|
3687
|
+
- :string
|
3688
|
+
- :proceraHttpRequestMethod
|
3689
|
+
20:
|
3690
|
+
- :string
|
3691
|
+
- :proceraHttpUserAgent
|
3692
|
+
21:
|
3693
|
+
- :string
|
3694
|
+
- :proceraHttpContentType
|
3695
|
+
22:
|
3696
|
+
- :string
|
3697
|
+
- :proceraHttpUrl
|
3698
|
+
23:
|
3699
|
+
- :string
|
3700
|
+
- :proceraHttpReferer
|
3701
|
+
24:
|
3702
|
+
- :uint16
|
3703
|
+
- :proceraHttpResponseStatus
|
3704
|
+
25:
|
3705
|
+
- :uint32
|
3706
|
+
- :proceraHttpFileLength
|
3707
|
+
26:
|
3708
|
+
- :string
|
3709
|
+
- :proceraHttpLocation
|
3710
|
+
27:
|
3711
|
+
- :string
|
3712
|
+
- :proceraHttpLanguage
|
3713
|
+
28:
|
3714
|
+
- :string
|
3715
|
+
- :proceraSubscriberIdentifier
|
3716
|
+
29:
|
3717
|
+
- :uint64
|
3718
|
+
- :proceraMsisdn
|
3719
|
+
30:
|
3720
|
+
- :uint64
|
3721
|
+
- :proceraImsi
|
3722
|
+
31:
|
3723
|
+
- :string
|
3724
|
+
- :proceraRat
|
3725
|
+
32:
|
3726
|
+
- :uint64
|
3727
|
+
- :proceraDeviceId
|
3728
|
+
33:
|
3729
|
+
- :string
|
3730
|
+
- :proceraSgsn
|
3731
|
+
34:
|
3732
|
+
- :uint16
|
3733
|
+
- :proceraRnc
|
3734
|
+
35:
|
3735
|
+
- :string
|
3736
|
+
- :proceraApn
|
3737
|
+
36:
|
3738
|
+
- :string
|
3739
|
+
- :proceraUserLocationInformation
|
3740
|
+
37:
|
3741
|
+
- :string
|
3742
|
+
- :proceraGgsn
|
3743
|
+
38:
|
3744
|
+
- :float32
|
3745
|
+
- :proceraQoeIncomingInternal
|
3746
|
+
39:
|
3747
|
+
- :float32
|
3748
|
+
- :proceraQoeIncomingExternal
|
3749
|
+
40:
|
3750
|
+
- :float32
|
3751
|
+
- :proceraQoeOutgoingInternal
|
3752
|
+
41:
|
3753
|
+
- :float32
|
3754
|
+
- :proceraQoeOutgoingExternal
|
3755
|
+
42:
|
3756
|
+
- :ip4_addr
|
3757
|
+
- :proceraLocalIPv4Host
|
3758
|
+
43:
|
3759
|
+
- :ip6_addr
|
3760
|
+
- :proceraLocalIPv6Host
|
3761
|
+
44:
|
3762
|
+
- :ip4_addr
|
3763
|
+
- :proceraRemoteIPv4Host
|
3764
|
+
45:
|
3765
|
+
- :ip6_addr
|
3766
|
+
- :proceraRemoteIPv6Host
|
3767
|
+
46:
|
3768
|
+
- :string
|
3769
|
+
- :proceraHttpRequestVersion
|
3770
|
+
47:
|
3771
|
+
- :string
|
3772
|
+
- :proceraTemplateName
|
3773
|
+
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '3.
|
4
|
+
s.version = '3.12.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Reads Netflow v5, Netflow v9 and IPFIX data"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
Binary file
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -1027,6 +1027,64 @@ describe LogStash::Codecs::Netflow do
|
|
1027
1027
|
|
1028
1028
|
end
|
1029
1029
|
|
1030
|
+
context "IPFIX Procera" do
|
1031
|
+
let(:data) do
|
1032
|
+
packets = []
|
1033
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_procera_tpl52935.dat"), :mode => "rb")
|
1034
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_procera_data52935.dat"), :mode => "rb")
|
1035
|
+
end
|
1036
|
+
|
1037
|
+
let(:json_events) do
|
1038
|
+
events = []
|
1039
|
+
events << <<-END
|
1040
|
+
{
|
1041
|
+
"@timestamp": "2018-04-15T03:30:00.000Z",
|
1042
|
+
"@version": "1",
|
1043
|
+
"netflow": {
|
1044
|
+
"proceraFlowBehavior": "INTERACTIVE,CLIENT_IS_LOCAL,INBOUND,ESTABLISHED,ACTIVE",
|
1045
|
+
"sourceIPv6Address": "::",
|
1046
|
+
"proceraOutgoingOctets": 3310,
|
1047
|
+
"sourceTransportPort": 33689,
|
1048
|
+
"destinationIPv6Address": "::",
|
1049
|
+
"destinationTransportPort": 179,
|
1050
|
+
"flowStartSeconds": "2018-04-15T03:25:00.000Z",
|
1051
|
+
"proceraHttpContentType": "",
|
1052
|
+
"proceraContentCategories": "",
|
1053
|
+
"proceraSubscriberIdentifier": "",
|
1054
|
+
"proceraTemplateName": "IPFIX",
|
1055
|
+
"proceraHttpLocation": "",
|
1056
|
+
"protocolIdentifier": 6,
|
1057
|
+
"sourceIPv4Address": "138.44.161.14",
|
1058
|
+
"flowEndSeconds": "2018-04-15T03:30:00.000Z",
|
1059
|
+
"version": 10,
|
1060
|
+
"proceraBaseService": "BGP-4",
|
1061
|
+
"bgpSourceAsNumber": 7575,
|
1062
|
+
"proceraIncomingOctets": 7076,
|
1063
|
+
"bgpDestinationAsNumber": 7575,
|
1064
|
+
"proceraHttpUrl": "",
|
1065
|
+
"proceraService": "BGP-4",
|
1066
|
+
"proceraHttpFileLength": 0,
|
1067
|
+
"destinationIPv4Address": "138.44.161.13"
|
1068
|
+
}
|
1069
|
+
}
|
1070
|
+
END
|
1071
|
+
|
1072
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1073
|
+
end
|
1074
|
+
|
1075
|
+
it "should decode raw data" do
|
1076
|
+
expect(decode.size).to eq(8)
|
1077
|
+
expect(decode[7].get("[netflow][sourceIPv4Address]")).to eq("138.44.161.14")
|
1078
|
+
expect(decode[7].get("[netflow][proceraBaseService]")).to eq("BGP-4")
|
1079
|
+
expect(decode[7].get("[netflow][proceraFlowBehavior]")).to eq("INTERACTIVE,CLIENT_IS_LOCAL,INBOUND,ESTABLISHED,ACTIVE")
|
1080
|
+
end
|
1081
|
+
|
1082
|
+
it "should serialize to json" do
|
1083
|
+
expect(JSON.parse(decode[7].to_json)).to eq(JSON.parse(json_events[0]))
|
1084
|
+
end
|
1085
|
+
|
1086
|
+
end
|
1087
|
+
|
1030
1088
|
|
1031
1089
|
|
1032
1090
|
context "Netflow 9 Ubiquiti Edgerouter with MPLS labels" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.12.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-04-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -91,6 +91,8 @@ files:
|
|
91
91
|
- spec/codecs/ipfix_test_nokia_bras_tpl.dat
|
92
92
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
93
93
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
94
|
+
- spec/codecs/ipfix_test_procera_data52935.dat
|
95
|
+
- spec/codecs/ipfix_test_procera_tpl52935.dat
|
94
96
|
- spec/codecs/ipfix_test_viptela_data257.dat
|
95
97
|
- spec/codecs/ipfix_test_viptela_tpl257.dat
|
96
98
|
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|
@@ -199,6 +201,8 @@ test_files:
|
|
199
201
|
- spec/codecs/ipfix_test_nokia_bras_tpl.dat
|
200
202
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
201
203
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
204
|
+
- spec/codecs/ipfix_test_procera_data52935.dat
|
205
|
+
- spec/codecs/ipfix_test_procera_tpl52935.dat
|
202
206
|
- spec/codecs/ipfix_test_viptela_data257.dat
|
203
207
|
- spec/codecs/ipfix_test_viptela_tpl257.dat
|
204
208
|
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|