logstash-codec-netflow 3.5.2 → 3.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/CONTRIBUTORS +1 -0
- data/Gemfile +1 -0
- data/docs/index.asciidoc +6 -7
- data/lib/logstash/codecs/netflow.rb +27 -5
- data/lib/logstash/codecs/netflow/netflow.yaml +15 -0
- data/lib/logstash/codecs/netflow/util.rb +75 -1
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/netflow9_test_nprobe_dpi.dat +0 -0
- data/spec/codecs/netflow_spec.rb +49 -0
- metadata +14 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c7f0d6772017820e36296cf42defff63a59297ae
|
4
|
+
data.tar.gz: 029c09b6f7a1bf8d55a35fcbf3463be618584c04
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f24188a8b785b89544fa711a531988761138ca42bd73f2900765bad3157adc927e76754b20f44f8aef853ebe7ea6ce8c286366fa42e9e0023a0d63d5740ecd3e
|
7
|
+
data.tar.gz: e3e67cd8db7fa5bd111024bfc33a2e3cb7b004bd009610d11580737753540ada6de5c1d9ef5286fadf94d6c1856829897810a9c60b51f6a30264f3b491a615e8
|
data/CHANGELOG.md
CHANGED
data/CONTRIBUTORS
CHANGED
data/Gemfile
CHANGED
data/docs/index.asciidoc
CHANGED
@@ -39,6 +39,7 @@ The following Netflow/IPFIX exporters are known to work with the most recent ver
|
|
39
39
|
|Cisco ASA | | y | |
|
40
40
|
|Cisco ASR | | y | |
|
41
41
|
|Cisco IOS 12.x | | y | |
|
42
|
+
|Cisco ISR w/ HSL | | n | | https://github.com/logstash-plugins/logstash-codec-netflow/issues/93
|
42
43
|
|Cisco WLC | | y | |
|
43
44
|
|Citrix Netscaler | | | y | Still some unknown fields, labeled netscalerUnknown<id>
|
44
45
|
|fprobe | y | | |
|
@@ -46,7 +47,7 @@ The following Netflow/IPFIX exporters are known to work with the most recent ver
|
|
46
47
|
|ipt_NETFLOW | y | y | y |
|
47
48
|
|Juniper MX80 | y | | | SW > 12.3R8
|
48
49
|
|Mikrotik | y | | y | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
|
49
|
-
|nProbe | y | y | y |
|
50
|
+
|nProbe | y | y | y | L7 DPI fields now also supported
|
50
51
|
|OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
|
51
52
|
|Softflowd | y | y | y | IPFIX supported in https://github.com/djmdjm/softflowd
|
52
53
|
|Streamcore Streamgroomer | | y | |
|
@@ -68,25 +69,23 @@ input {
|
|
68
69
|
}
|
69
70
|
--------------------------
|
70
71
|
|
71
|
-
For high-performance production environments the configuration below will decode up to
|
72
|
-
|
72
|
+
For high-performance production environments the configuration below will decode up to 15000 flows/sec on a dedicated 16 CPU instance. If your total flowrate exceeds 15000 flows/sec, you should use multiple Logstash instances.
|
73
73
|
|
74
74
|
[source, ruby]
|
75
75
|
--------------------------
|
76
76
|
input {
|
77
77
|
udp {
|
78
78
|
port => 2055
|
79
|
-
receive_buffer_bytes => 16777216
|
80
79
|
codec => netflow
|
81
|
-
|
80
|
+
receive_buffer_bytes => 16777216
|
81
|
+
workers => 16
|
82
82
|
}
|
83
83
|
--------------------------
|
84
84
|
|
85
|
-
|
85
|
+
To mitigate dropped packets, make sure to increase the Linux kernel receive buffer limit:
|
86
86
|
|
87
87
|
# sysctl -w net.core.rmem_max=$((1024*1024*16))
|
88
88
|
|
89
|
-
|
90
89
|
[id="plugins-{type}s-{plugin}-options"]
|
91
90
|
==== Netflow Codec Configuration Options
|
92
91
|
|
@@ -244,10 +244,11 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
244
244
|
|
245
245
|
length = record.flowset_length - 4
|
246
246
|
|
247
|
-
# Template shouldn't be longer than the record
|
248
|
-
#
|
249
|
-
|
250
|
-
|
247
|
+
# Template shouldn't be longer than the record
|
248
|
+
# As fas as padding is concerned, the RFC defines a SHOULD for 4-word alignment
|
249
|
+
# so we won't complain about that.
|
250
|
+
if template.num_bytes > length
|
251
|
+
@logger.warn("Template length exceeds flowset length, skipping", :template_id => record.flowset_id, :template_length => template.num_bytes, :record_length => length)
|
251
252
|
return events
|
252
253
|
end
|
253
254
|
|
@@ -460,9 +461,12 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
460
461
|
|
461
462
|
# Small bit of fixup for:
|
462
463
|
# - skip or string field types where the length is dynamic
|
463
|
-
# -
|
464
|
+
# - uint(8|16|24|32} where we use the length as specified by the
|
464
465
|
# template instead of the YAML (e.g. ipv6_flow_label is 3 bytes in
|
465
466
|
# the YAML and Cisco doc, but Cisco ASR9k sends 4 bytes)
|
467
|
+
# - application_id where we use the length as specified by the
|
468
|
+
# template and map it to custom types for handling.
|
469
|
+
#
|
466
470
|
case field[0]
|
467
471
|
when :uint8
|
468
472
|
field[0] = uint_field(length, field[0])
|
@@ -472,6 +476,24 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
472
476
|
field[0] = uint_field(length, field[0])
|
473
477
|
when :uint32
|
474
478
|
field[0] = uint_field(length, field[0])
|
479
|
+
when :application_id
|
480
|
+
case length
|
481
|
+
when 2
|
482
|
+
field[0] = :Application_Id16
|
483
|
+
when 3
|
484
|
+
field[0] = :Application_Id24
|
485
|
+
when 4
|
486
|
+
field[0] = :Application_Id32
|
487
|
+
when 5
|
488
|
+
field[0] = :Application_Id40
|
489
|
+
when 8
|
490
|
+
field[0] = :Application_Id64
|
491
|
+
when 9
|
492
|
+
field[0] = :Application_Id72
|
493
|
+
else
|
494
|
+
@logger.warn("Unsupported application_id length encountered, skipping", :field => field, :length => length)
|
495
|
+
nil
|
496
|
+
end
|
475
497
|
when :skip
|
476
498
|
field += [nil, {:length => length.to_i}]
|
477
499
|
when :string
|
@@ -340,6 +340,9 @@
|
|
340
340
|
367:
|
341
341
|
- :mac_addr
|
342
342
|
- :wtpMacAddress
|
343
|
+
372:
|
344
|
+
- :string
|
345
|
+
- :applicationCategoryName
|
343
346
|
8192:
|
344
347
|
- :uint32
|
345
348
|
- :streamcore_wan_rtt
|
@@ -451,3 +454,15 @@
|
|
451
454
|
40005:
|
452
455
|
- :uint8
|
453
456
|
- :fw_event
|
457
|
+
56701:
|
458
|
+
- :string
|
459
|
+
- :app_id
|
460
|
+
56702:
|
461
|
+
- :string
|
462
|
+
- :user_id
|
463
|
+
57590:
|
464
|
+
- :uint16
|
465
|
+
- :nprobe_proto
|
466
|
+
57591:
|
467
|
+
- :string
|
468
|
+
- :nprobe_proto_name
|
@@ -108,7 +108,7 @@ class Forwarding_Status < BinData::Record
|
|
108
108
|
bit6 :reason
|
109
109
|
end
|
110
110
|
|
111
|
-
class
|
111
|
+
class Application_Id16 < BinData::Primitive
|
112
112
|
endian :big
|
113
113
|
uint8 :classification_id
|
114
114
|
uint24 :selector_id
|
@@ -121,7 +121,81 @@ class Application_Id < BinData::Primitive
|
|
121
121
|
def get
|
122
122
|
self.classification_id.to_s + ":" + self.selector_id.to_s
|
123
123
|
end
|
124
|
+
end
|
125
|
+
|
126
|
+
class Application_Id24 < BinData::Primitive
|
127
|
+
endian :big
|
128
|
+
uint8 :classification_id
|
129
|
+
uint16 :selector_id
|
130
|
+
|
131
|
+
def set(val)
|
132
|
+
self.classification_id=val.to_i<<16
|
133
|
+
self.selector_id = val.to_i-((val.to_i>>16)<<16)
|
134
|
+
end
|
135
|
+
|
136
|
+
def get
|
137
|
+
self.classification_id.to_s + ":" + self.selector_id.to_s
|
138
|
+
end
|
139
|
+
end
|
140
|
+
|
141
|
+
class Application_Id32 < BinData::Primitive
|
142
|
+
endian :big
|
143
|
+
uint8 :classification_id
|
144
|
+
uint24 :selector_id
|
145
|
+
|
146
|
+
def set(val)
|
147
|
+
self.classification_id=val.to_i<<24
|
148
|
+
self.selector_id = val.to_i-((val.to_i>>24)<<24)
|
149
|
+
end
|
150
|
+
|
151
|
+
def get
|
152
|
+
self.classification_id.to_s + ":" + self.selector_id.to_s
|
153
|
+
end
|
154
|
+
end
|
155
|
+
|
156
|
+
class Application_Id40 < BinData::Primitive
|
157
|
+
endian :big
|
158
|
+
uint8 :classification_id
|
159
|
+
uint32 :selector_id
|
124
160
|
|
161
|
+
def set(val)
|
162
|
+
self.classification_id=val.to_i<<32
|
163
|
+
self.selector_id = val.to_i-((val.to_i>>32)<<32)
|
164
|
+
end
|
165
|
+
|
166
|
+
def get
|
167
|
+
self.classification_id.to_s + ":" + self.selector_id.to_s
|
168
|
+
end
|
169
|
+
end
|
170
|
+
|
171
|
+
class Application_Id64 < BinData::Primitive
|
172
|
+
endian :big
|
173
|
+
uint8 :classification_id
|
174
|
+
uint56 :selector_id
|
175
|
+
|
176
|
+
def set(val)
|
177
|
+
self.classification_id=val.to_i<<56
|
178
|
+
self.selector_id = val.to_i-((val.to_i>>56)<<56)
|
179
|
+
end
|
180
|
+
|
181
|
+
def get
|
182
|
+
self.classification_id.to_s + ":" + self.selector_id.to_s
|
183
|
+
end
|
184
|
+
end
|
185
|
+
|
186
|
+
class Application_Id72 < BinData::Primitive
|
187
|
+
endian :big
|
188
|
+
uint8 :classification_id
|
189
|
+
uint64 :selector_id
|
190
|
+
|
191
|
+
def set(val)
|
192
|
+
self.classification_id=val.to_i<<64
|
193
|
+
self.selector_id = val.to_i-((val.to_i>>64)<<64)
|
194
|
+
end
|
195
|
+
|
196
|
+
def get
|
197
|
+
self.classification_id.to_s + ":" + self.selector_id.to_s
|
198
|
+
end
|
125
199
|
end
|
126
200
|
|
127
201
|
class OctetArray < BinData::Primitive
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '3.
|
4
|
+
s.version = '3.6.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -966,6 +966,55 @@ describe LogStash::Codecs::Netflow do
|
|
966
966
|
|
967
967
|
end
|
968
968
|
|
969
|
+
context "Netflow 9 nprobe DPI L7" do
|
970
|
+
let(:data) do
|
971
|
+
packets = []
|
972
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_nprobe_dpi.dat"), :mode => "rb")
|
973
|
+
end
|
974
|
+
|
975
|
+
let(:json_events) do
|
976
|
+
events = []
|
977
|
+
events << <<-END
|
978
|
+
{
|
979
|
+
"netflow": {
|
980
|
+
"nprobe_proto": 82,
|
981
|
+
"in_pkts": 1,
|
982
|
+
"ipv4_dst_addr": "0.0.0.0",
|
983
|
+
"first_switched": "1970-01-01T00:08:33.000Z",
|
984
|
+
"flowset_id": 256,
|
985
|
+
"l4_src_port": 0,
|
986
|
+
"nprobe_proto_name": "\u0000\u00c1\u0000\u0000\u0001\u00ac\u0010\u0000d\u00e4O\u00ef\u00ff\u00ff\u00fa\u0007",
|
987
|
+
"version": 9,
|
988
|
+
"application_id": "0:82",
|
989
|
+
"flow_seq_num": 2,
|
990
|
+
"ipv4_src_addr": "0.0.0.0",
|
991
|
+
"protocol": 0,
|
992
|
+
"in_bytes": 82,
|
993
|
+
"application_name": "\u0000\u0000\u0000\u0000\u0000\"\u0000\u0000\u0000\u0000\u0004",
|
994
|
+
"last_switched": "1970-01-01T00:08:36.000Z",
|
995
|
+
"l4_dst_port": 0
|
996
|
+
},
|
997
|
+
"@timestamp": "1970-01-01T00:08:22.000Z",
|
998
|
+
"@version": "1",
|
999
|
+
"host": "172.16.32.201"
|
1000
|
+
}
|
1001
|
+
END
|
1002
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1003
|
+
end
|
1004
|
+
|
1005
|
+
it "should decode raw data" do
|
1006
|
+
expect(decode.size).to eq(1)
|
1007
|
+
expect(decode[0].get("[netflow][nprobe_proto]")).to eq(82)
|
1008
|
+
expect(decode[0].get("[netflow][application_id]")).to eq("0:82")
|
1009
|
+
expect(decode[0].get("[netflow][in_bytes]")).to eq(82)
|
1010
|
+
end
|
1011
|
+
|
1012
|
+
it "should serialize to json" do
|
1013
|
+
# We skip this due to unprintable characters in the proto_name and application_name
|
1014
|
+
# expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
1015
|
+
end
|
1016
|
+
end
|
1017
|
+
|
969
1018
|
context "Netflow 9 Fortigate FortiOS 5.2.1" do
|
970
1019
|
let(:data) do
|
971
1020
|
packets = []
|
metadata
CHANGED
@@ -1,22 +1,22 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.6.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-09-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
15
15
|
requirements:
|
16
|
-
- -
|
16
|
+
- - '>='
|
17
17
|
- !ruby/object:Gem::Version
|
18
18
|
version: '1.60'
|
19
|
-
- -
|
19
|
+
- - <=
|
20
20
|
- !ruby/object:Gem::Version
|
21
21
|
version: '2.99'
|
22
22
|
name: logstash-core-plugin-api
|
@@ -24,16 +24,16 @@ dependencies:
|
|
24
24
|
type: :runtime
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
26
26
|
requirements:
|
27
|
-
- -
|
27
|
+
- - '>='
|
28
28
|
- !ruby/object:Gem::Version
|
29
29
|
version: '1.60'
|
30
|
-
- -
|
30
|
+
- - <=
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: '2.99'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
34
|
requirement: !ruby/object:Gem::Requirement
|
35
35
|
requirements:
|
36
|
-
- -
|
36
|
+
- - '>='
|
37
37
|
- !ruby/object:Gem::Version
|
38
38
|
version: 1.5.0
|
39
39
|
name: bindata
|
@@ -41,13 +41,13 @@ dependencies:
|
|
41
41
|
type: :runtime
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
43
43
|
requirements:
|
44
|
-
- -
|
44
|
+
- - '>='
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: 1.5.0
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
48
|
requirement: !ruby/object:Gem::Requirement
|
49
49
|
requirements:
|
50
|
-
- -
|
50
|
+
- - '>='
|
51
51
|
- !ruby/object:Gem::Version
|
52
52
|
version: 1.0.0
|
53
53
|
name: logstash-devutils
|
@@ -55,7 +55,7 @@ dependencies:
|
|
55
55
|
type: :development
|
56
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
57
|
requirements:
|
58
|
-
- -
|
58
|
+
- - '>='
|
59
59
|
- !ruby/object:Gem::Version
|
60
60
|
version: 1.0.0
|
61
61
|
description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
|
@@ -124,6 +124,7 @@ files:
|
|
124
124
|
- spec/codecs/netflow9_test_macaddr_data.dat
|
125
125
|
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
126
126
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
127
|
+
- spec/codecs/netflow9_test_nprobe_dpi.dat
|
127
128
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
128
129
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
129
130
|
- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
|
@@ -145,12 +146,12 @@ require_paths:
|
|
145
146
|
- lib
|
146
147
|
required_ruby_version: !ruby/object:Gem::Requirement
|
147
148
|
requirements:
|
148
|
-
- -
|
149
|
+
- - '>='
|
149
150
|
- !ruby/object:Gem::Version
|
150
151
|
version: '0'
|
151
152
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
152
153
|
requirements:
|
153
|
-
- -
|
154
|
+
- - '>='
|
154
155
|
- !ruby/object:Gem::Version
|
155
156
|
version: '0'
|
156
157
|
requirements: []
|
@@ -205,6 +206,7 @@ test_files:
|
|
205
206
|
- spec/codecs/netflow9_test_macaddr_data.dat
|
206
207
|
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
207
208
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
209
|
+
- spec/codecs/netflow9_test_nprobe_dpi.dat
|
208
210
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
209
211
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
210
212
|
- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
|