logstash-codec-netflow 3.2.1 → 3.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/CONTRIBUTORS +1 -0
  4. data/lib/logstash/codecs/netflow/ipfix.yaml +31 -0
  5. data/logstash-codec-netflow.gemspec +1 -1
  6. data/spec/codecs/ipfix_test_vmware_vds_data264.dat +0 -0
  7. data/spec/codecs/ipfix_test_vmware_vds_data266.dat +0 -0
  8. data/spec/codecs/ipfix_test_vmware_vds_data266_267.dat +0 -0
  9. data/spec/codecs/ipfix_test_vmware_vds_tpl.dat +0 -0
  10. data/spec/codecs/netflow_spec.rb +184 -0
  11. metadata +10 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 8eed13d17d78bcdbbb2788a458fb2d6109e3dfce
4
- data.tar.gz: 3886e83de50aded411f7d5ee26832f56998fbd8b
3
+ metadata.gz: 05a98ccdb2cc8a75bdda0d5186e17385e4fbb3f2
4
+ data.tar.gz: e78c49964d3d50a6904895ec9329da7607dcfc81
5
5
  SHA512:
6
- metadata.gz: 15b4bacc7bb1d6263cb9ec4f67ea360b5c0686503ace7442a75b8da99090865cf2e6753cf43a465132b5b42b010afede5607e67ae19f7a78e07c67fd62735d07
7
- data.tar.gz: 7442867f8718b82330cb1a7c8592ea3c1367e14f1f12966a4db788a751d5a802638706a5c20ce7ccb8cd5e937cf65b210b90fae2c4dde0a5a089430608e17f83
6
+ metadata.gz: 84be91763bb7159eefb3f924176955deca396b95fbe09a189c1554d892bac06f34591b2147d91302964b29e69441753139e0f859bbc7741b99ec51ba38f0e642
7
+ data.tar.gz: a2530632510c75b0aa30a153f1f3f199a9c178777e376d2a9dcaf602140de9d866e94775b230e9955c6cbb0921e97aa6da9187d909830a85906b1f82b76b6531
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.2.2
2
+
3
+ - Added support for VMware VDS IPFIX although field definitions are unknown
4
+
1
5
  ## 3.2.1
2
6
 
3
7
  - Fix/Refactor IPFIX microsecond/nanosecond interpretation (NTP Timestamp based)
data/CONTRIBUTORS CHANGED
@@ -23,6 +23,7 @@ Contributors:
23
23
  * hhindlem
24
24
  * niempy
25
25
  * jstopinsek
26
+ * sliddjur
26
27
 
27
28
  Maintainer:
28
29
  * Jorrit Folmer (jorritfolmer)
data/lib/logstash/codecs/netflow/ipfix.yaml CHANGED
@@ -1866,6 +1866,37 @@
1866
1866
  465:
1867
1867
  - :uint32
1868
1868
  - :netscalerUnknown465
1869
+ 6876:
1870
+ 880:
1871
+ - :uint8
1872
+ - :vmwareUnknown880
1873
+ 881:
1874
+ - :uint32
1875
+ - :vmwareUnknown881
1876
+ 882:
1877
+ - :uint32
1878
+ - :vmwareUnknown882
1879
+ 883:
1880
+ - :string
1881
+ - :vmwareUnknown883
1882
+ 884:
1883
+ - :string
1884
+ - :vmwareUnknown884
1885
+ 886:
1886
+ - :uint16
1887
+ - :vmwareUnknown886
1888
+ 887:
1889
+ - :uint16
1890
+ - :vmwareUnknown887
1891
+ 888:
1892
+ - :uint16
1893
+ - :vmwareUnknown888
1894
+ 889:
1895
+ - :uint8
1896
+ - :vmwareUnknown889
1897
+ 890:
1898
+ - :uint16
1899
+ - :vmwareUnknown890
1869
1900
  29305:
1870
1901
  1:
1871
1902
  - :uint64
data/logstash-codec-netflow.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-netflow'
4
- s.version = '3.2.1'
4
+ s.version = '3.2.2'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
7
7
  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
data/spec/codecs/netflow_spec.rb CHANGED
@@ -1062,6 +1062,188 @@ describe LogStash::Codecs::Netflow do
1062
1062
  expect(JSON.parse(decode[2].to_json)).to eq(JSON.parse(json_events[0]))
1063
1063
  end
1064
1064
  end
1065
+
1066
+ context "IPFIX VMware virtual distributed switch" do
1067
+ let(:data) do
1068
+ packets = []
1069
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_tpl.dat"), :mode => "rb")
1070
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_data264.dat"), :mode => "rb")
1071
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_data266.dat"), :mode => "rb")
1072
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_vmware_vds_data266_267.dat"), :mode => "rb")
1073
+ end
1074
+
1075
+ let(:json_events) do
1076
+ events = []
1077
+ events << <<-END
1078
+ {
1079
+ "netflow": {
1080
+ "destinationIPv4Address": "172.18.65.211",
1081
+ "destinationTransportPort": 5985,
1082
+ "tcpControlBits": 2,
1083
+ "vmwareUnknown890": 1,
1084
+ "sourceIPv4Address": "172.18.65.21",
1085
+ "ingressInterface": 3,
1086
+ "ipClassOfService": 0,
1087
+ "version": 10,
1088
+ "packetDeltaCount": 2,
1089
+ "flowEndReason": 1,
1090
+ "protocolIdentifier": 6,
1091
+ "flowDirection": 1,
1092
+ "layer2SegmentId": 0,
1093
+ "egressInterface": 11,
1094
+ "octetDeltaCount": 100,
1095
+ "sourceTransportPort": 61209,
1096
+ "flowEndMilliseconds": "2016-12-22T12:17:37.000Z",
1097
+ "maximumTTL": 128,
1098
+ "vmwareUnknown888": 2,
1099
+ "flowStartMilliseconds": "2016-12-22T12:17:37.000Z",
1100
+ "vmwareUnknown889": 0
1101
+ },
1102
+ "@timestamp": "2016-12-22T12:17:52.000Z",
1103
+ "@version": "1"
1104
+ }
1105
+ END
1106
+
1107
+ events << <<-END
1108
+ {
1109
+ "netflow": {
1110
+ "destinationIPv4Address": "172.18.65.255",
1111
+ "destinationTransportPort": 138,
1112
+ "tcpControlBits": 0,
1113
+ "vmwareUnknown890": 1,
1114
+ "sourceIPv4Address": "172.18.65.91",
1115
+ "ingressInterface": 2,
1116
+ "ipClassOfService": 0,
1117
+ "version": 10,
1118
+ "packetDeltaCount": 1,
1119
+ "flowEndReason": 1,
1120
+ "protocolIdentifier": 17,
1121
+ "flowDirection": 1,
1122
+ "layer2SegmentId": 0,
1123
+ "egressInterface": 10,
1124
+ "octetDeltaCount": 229,
1125
+ "sourceTransportPort": 138,
1126
+ "flowEndMilliseconds": "2016-12-22T12:17:42.000Z",
1127
+ "maximumTTL": 128,
1128
+ "vmwareUnknown888": 2,
1129
+ "flowStartMilliseconds": "2016-12-22T12:17:42.000Z",
1130
+ "vmwareUnknown889": 0
1131
+ },
1132
+ "@timestamp": "2016-12-22T12:17:56.000Z",
1133
+ "@version": "1"
1134
+ }
1135
+ END
1136
+
1137
+ events << <<-END
1138
+ {
1139
+ "netflow": {
1140
+ "destinationIPv4Address": "172.18.65.255",
1141
+ "destinationTransportPort": 138,
1142
+ "tcpControlBits": 0,
1143
+ "vmwareUnknown890": 1,
1144
+ "sourceIPv4Address": "172.18.65.91",
1145
+ "ingressInterface": 3,
1146
+ "ipClassOfService": 0,
1147
+ "version": 10,
1148
+ "packetDeltaCount": 1,
1149
+ "flowEndReason": 1,
1150
+ "protocolIdentifier": 17,
1151
+ "flowDirection": 1,
1152
+ "layer2SegmentId": 0,
1153
+ "egressInterface": 11,
1154
+ "octetDeltaCount": 229,
1155
+ "sourceTransportPort": 138,
1156
+ "flowEndMilliseconds": "2016-12-22T12:17:42.000Z",
1157
+ "maximumTTL": 128,
1158
+ "vmwareUnknown888": 2,
1159
+ "flowStartMilliseconds": "2016-12-22T12:17:42.000Z",
1160
+ "vmwareUnknown889": 0
1161
+ },
1162
+ "@timestamp": "2016-12-22T12:17:56.000Z",
1163
+ "@version": "1"
1164
+ }
1165
+ END
1166
+
1167
+ events << <<-END
1168
+ {
1169
+ "netflow": {
1170
+ "destinationIPv4Address": "224.0.0.252",
1171
+ "destinationTransportPort": 5355,
1172
+ "tcpControlBits": 0,
1173
+ "vmwareUnknown890": 1,
1174
+ "sourceIPv4Address": "172.18.65.21",
1175
+ "ingressInterface": 3,
1176
+ "ipClassOfService": 0,
1177
+ "version": 10,
1178
+ "packetDeltaCount": 2,
1179
+ "flowEndReason": 1,
1180
+ "protocolIdentifier": 17,
1181
+ "flowDirection": 1,
1182
+ "layer2SegmentId": 0,
1183
+ "egressInterface": 11,
1184
+ "octetDeltaCount": 104,
1185
+ "sourceTransportPort": 61329,
1186
+ "flowEndMilliseconds": "2016-12-22T12:25:49.000Z",
1187
+ "maximumTTL": 1,
1188
+ "vmwareUnknown888": 2,
1189
+ "flowStartMilliseconds": "2016-12-22T12:25:49.000Z",
1190
+ "vmwareUnknown889": 0
1191
+ },
1192
+ "@timestamp": "2016-12-22T12:26:04.000Z",
1193
+ "@version": "1"
1194
+ }
1195
+ END
1196
+
1197
+ events << <<-END
1198
+ {
1199
+ "netflow": {
1200
+ "destinationTransportPort": 5355,
1201
+ "tcpControlBits": 0,
1202
+ "vmwareUnknown890": 1,
1203
+ "ingressInterface": 3,
1204
+ "ipClassOfService": 0,
1205
+ "version": 10,
1206
+ "packetDeltaCount": 2,
1207
+ "flowEndReason": 1,
1208
+ "sourceIPv6Address": "fe80::5187:5cd8:d750:cdc9",
1209
+ "protocolIdentifier": 17,
1210
+ "flowDirection": 1,
1211
+ "layer2SegmentId": 0,
1212
+ "egressInterface": 11,
1213
+ "octetDeltaCount": 144,
1214
+ "destinationIPv6Address": "ff02::1:3",
1215
+ "sourceTransportPort": 61329,
1216
+ "flowEndMilliseconds": "2016-12-22T12:25:49.000Z",
1217
+ "maximumTTL": 1,
1218
+ "vmwareUnknown888": 2,
1219
+ "flowStartMilliseconds": "2016-12-22T12:25:49.000Z",
1220
+ "vmwareUnknown889": 0
1221
+ },
1222
+ "@timestamp": "2016-12-22T12:26:04.000Z",
1223
+ "@version": "1"
1224
+ }
1225
+ END
1226
+ events.map{|event| event.gsub(/\s+/, "")}
1227
+ end
1228
+
1229
+ it "should decode raw data" do
1230
+ expect(decode.size).to eq(5)
1231
+ expect(decode[4].get("[netflow][sourceIPv6Address]")).to eq("fe80::5187:5cd8:d750:cdc9")
1232
+ expect(decode[4].get("[netflow][destinationIPv6Address]")).to eq("ff02::1:3")
1233
+ expect(decode[4].get("[netflow][octetDeltaCount]")).to eq(144)
1234
+ expect(decode[4].get("[netflow][destinationTransportPort]")).to eq(5355)
1235
+ end
1236
+
1237
+ it "should serialize to json" do
1238
+ expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
1239
+ expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[1]))
1240
+ expect(JSON.parse(decode[2].to_json)).to eq(JSON.parse(json_events[2]))
1241
+ expect(JSON.parse(decode[3].to_json)).to eq(JSON.parse(json_events[3]))
1242
+ expect(JSON.parse(decode[4].to_json)).to eq(JSON.parse(json_events[4]))
1243
+ end
1244
+
1245
+ end
1246
+
1065
1247
  end
1066
1248
 
1067
1249
  describe LogStash::Codecs::Netflow, 'missing templates, no template caching configured' do
@@ -1270,4 +1452,6 @@ describe LogStash::Codecs::Netflow, 'configured with include_flowset_id for ipfi
1270
1452
  expect(decode[1].get("[netflow][flowset_id]")).to eq(257)
1271
1453
  expect(decode[2].get("[netflow][flowset_id]")).to eq(258)
1272
1454
  end
1455
+
1456
+
1273
1457
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-netflow
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.1
4
+ version: 3.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-12-21 00:00:00.000000000 Z
11
+ date: 2016-12-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -81,6 +81,10 @@ files:
81
81
  - spec/codecs/ipfix_test_netscaler_tpl.dat
82
82
  - spec/codecs/ipfix_test_openbsd_pflow_data.dat
83
83
  - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
84
+ - spec/codecs/ipfix_test_vmware_vds_data264.dat
85
+ - spec/codecs/ipfix_test_vmware_vds_data266.dat
86
+ - spec/codecs/ipfix_test_vmware_vds_data266_267.dat
87
+ - spec/codecs/ipfix_test_vmware_vds_tpl.dat
84
88
  - spec/codecs/netflow5.dat
85
89
  - spec/codecs/netflow5_test_invalid01.dat
86
90
  - spec/codecs/netflow5_test_invalid02.dat
@@ -134,6 +138,10 @@ test_files:
134
138
  - spec/codecs/ipfix_test_netscaler_tpl.dat
135
139
  - spec/codecs/ipfix_test_openbsd_pflow_data.dat
136
140
  - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
141
+ - spec/codecs/ipfix_test_vmware_vds_data264.dat
142
+ - spec/codecs/ipfix_test_vmware_vds_data266.dat
143
+ - spec/codecs/ipfix_test_vmware_vds_data266_267.dat
144
+ - spec/codecs/ipfix_test_vmware_vds_tpl.dat
137
145
  - spec/codecs/netflow5.dat
138
146
  - spec/codecs/netflow5_test_invalid01.dat
139
147
  - spec/codecs/netflow5_test_invalid02.dat