Class: LogStash::Codecs::Netflow

Inherits:
Base
  • Object
show all
Includes:
PluginMixins::EventSupport::EventFactoryAdapter
Defined in:
lib/logstash/codecs/netflow.rb

Defined Under Namespace

Classes: TemplateRegistry

Constant Summary collapse

NETFLOW5_FIELDS = 
['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records']
NETFLOW9_FIELDS = 
['version', 'flow_seq_num']
NETFLOW9_SCOPES = 
{
  1 => :scope_system,
  2 => :scope_interface,
  3 => :scope_line_card,
  4 => :scope_netflow_cache,
  5 => :scope_template,
}
IPFIX_FIELDS = 
['version']
SWITCHED = 
/_switched$/
FLOWSET_ID = 
"flowset_id"

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ Netflow

Returns a new instance of Netflow.



55
56
57
58
 
# File 'lib/logstash/codecs/netflow.rb', line 55

def initialize(params = {})
  super(params)
  @threadsafe = true
end

Instance Method Details

#clone(*args) ⇒ Object 



60
61
62
 
# File 'lib/logstash/codecs/netflow.rb', line 60

def clone(*args)
  self
end

#decode(payload, metadata = nil, &block) ⇒ Object

def register



79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
 
# File 'lib/logstash/codecs/netflow.rb', line 79

def decode(payload, metadata = nil, &block)
#   BinData::trace_reading do
  header = Header.read(payload)

  unless @versions.include?(header.version)
    @logger.warn("Ignoring Netflow version v#{header.version}")
    return
  end

  if header.version == 5
    flowset = Netflow5PDU.read(payload)
    flowset.records.each do |record|
      begin
        yield(decode_netflow5(flowset, record))
      rescue BinData::ValidityError, IOError => e
        @logger.warn("Invalid Netflow v5 record (#{e})")
        if @logger.debug?
          @logger.debug("Netflow v5 decode error", :flow_seq_num => flowset.flow_seq_num)
        end
      end
    end
  elsif header.version == 9
#     BinData::trace_reading do
    flowset = Netflow9PDU.read(payload)
    flowset.records.each do |record|
      begin
        if metadata != nil
          decode_netflow9(flowset, record, metadata).each{|event| yield(event)}
        else
          decode_netflow9(flowset, record).each{|event| yield(event)}
        end
      rescue BinData::ValidityError, IOError => e
        @logger.warn("Invalid Netflow v9 record (#{e})")
        if @logger.debug?
          host = metadata ? metadata["host"] : nil
          port = metadata ? metadata["port"] : nil
          @logger.debug("Netflow v9 decode error", :source_id => flowset.source_id, :flowset_id => record.flowset_id, :host => host, :port => port)
        end
      end
#      end
   end
  elsif header.version == 10
#     BinData::trace_reading do
    flowset = IpfixPDU.read(payload)
    flowset.records.each do |record|
      begin
        decode_ipfix(flowset, record).each { |event| yield(event) }
      rescue BinData::ValidityError, IOError => e
        @logger.warn("Invalid IPFIX record (#{e})")
        if @logger.debug?
          @logger.debug("IPFIX decode error", :observation_domain_id => flowset.observation_domain_id, :flowset_id => record.flowset_id)
        end
      end
    end
#     end
  else
    @logger.warn("Unsupported Netflow version v#{header.version}")
  end
#   end
rescue BinData::ValidityError, IOError => e
  @logger.warn("Invalid netflow packet received (#{e})")
end

#registerObject 



64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'lib/logstash/codecs/netflow.rb', line 64

def register
  require "logstash/codecs/netflow/util"

  @netflow_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/netflow_templates.cache")
  @ipfix_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/ipfix_templates.cache")

  # Path to default Netflow v9 field definitions
  filename = ::File.expand_path('netflow/netflow.yaml', ::File.dirname(__FILE__))
  @netflow_fields = load_definitions(filename, @netflow_definitions)

  # Path to default IPFIX field definitions
  filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
  @ipfix_fields = load_definitions(filename, @ipfix_definitions)
end