Class: Fluent::Plugin::NetflowParser

Inherits:

Parser

• Object
• Parser
• Fluent::Plugin::NetflowParser

Defined in:

lib/fluent/plugin/parser_netflow.rb,
lib/fluent/plugin/vash.rb,
lib/fluent/plugin/netflow_records.rb

Overview

port from logstash’s netflow parser

Defined Under Namespace

Classes: Header, IP4Addr, IP6Addr, MacAddr, MplsLabel, Netflow5PDU, Netflow9PDU, OptionFlowset, TemplateFlowset, Vash

Instance Method Summary

• #call(payload, host = nil, &block) ⇒ Object
• #configure(conf) ⇒ Object

  Cisco NetFlow Export Datagram Format www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html Cisco NetFlow Version 9 Flow-Record Format www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html.

Instance Method Details

#call(payload, host = nil, &block) ⇒ Object

# File 'lib/fluent/plugin/parser_netflow.rb', line 50

def call(payload, host=nil, &block)
  version,_ = payload[0,2].unpack('n')
  case version
  when 5
    forV5(payload, block)
  when 9
    # TODO: implement forV9
    pdu = Netflow9PDU.read(payload)
    handle_v9(host, pdu, block)
  else
    $log.warn "Unsupported Netflow version v#{version}: #{version.class}"
  end
end

#configure(conf) ⇒ Object

Cisco NetFlow Export Datagram Format www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html Cisco NetFlow Version 9 Flow-Record Format www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

# File 'lib/fluent/plugin/parser_netflow.rb', line 25

def configure(conf)
  super

  @templates = Vash.new()
  @samplers_v9 = Vash.new()
  # Path to default Netflow v9 field definitions
  filename = File.expand_path('../netflow_fields.yaml', __FILE__)

  begin
    @template_fields = YAML.load_file(filename)
  rescue => e
    raise Fluent::ConfigError, "Bad syntax in definitions file #{filename}, error_class = #{e.class.name}, error = #{e.message}"
  end

  # Allow the user to augment/override/rename the supported Netflow fields
  if @definitions
    raise Fluent::ConfigError, "definitions file #{@definitions} doesn't exist" unless File.exist?(@definitions)
    begin
      @template_fields['option'].merge!(YAML.load_file(@definitions))
    rescue => e
      raise Fluent::ConfigError, "Bad syntax in definitions file #{@definitions}, error_class = #{e.class.name}, error = #{e.message}"
    end
  end
end