Class: LogStash::Codecs::Netflow

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/codecs/netflow.rb

Overview

Documentation moved to docs/

Constant Summary collapse

NETFLOW5_FIELDS = 
['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records']
NETFLOW9_FIELDS = 
['version', 'flow_seq_num']
NETFLOW9_SCOPES = 
{
  1 => :scope_system,
  2 => :scope_interface,
  3 => :scope_line_card,
  4 => :scope_netflow_cache,
  5 => :scope_template,
}
IPFIX_FIELDS = 
['version']
SWITCHED = 
/_switched$/
FLOWSET_ID = 
"flowset_id"

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ Netflow

Returns a new instance of Netflow.



52
53
54
55
56
57
58
 
# File 'lib/logstash/codecs/netflow.rb', line 52

def initialize(params = {})
  @file_cache_mutex = Mutex.new
  super(params)
  @threadsafe = true
  @decode_mutex_netflow = Mutex.new
  @decode_mutex_ipfix = Mutex.new
end

Instance Method Details

#cloneObject 



60
61
62
 
# File 'lib/logstash/codecs/netflow.rb', line 60

def clone
  self
end

#decode(payload, metadata = nil, &block) ⇒ Object

def register



104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
# File 'lib/logstash/codecs/netflow.rb', line 104

def decode(payload, metadata = nil, &block)
#   BinData::trace_reading do
  header = Header.read(payload)

  unless @versions.include?(header.version)
    @logger.warn("Ignoring Netflow version v#{header.version}")
    return
  end

  if header.version == 5
    flowset = Netflow5PDU.read(payload)
    flowset.records.each do |record|
      yield(decode_netflow5(flowset, record))
    end
  elsif header.version == 9
#     BinData::trace_reading do
    flowset = Netflow9PDU.read(payload)
    flowset.records.each do |record|
      if metadata != nil
        decode_netflow9(flowset, record, metadata).each{|event| yield(event)}
      else
        decode_netflow9(flowset, record).each{|event| yield(event)}
      end
#      end
   end
  elsif header.version == 10
#     BinData::trace_reading do
    flowset = IpfixPDU.read(payload)
    flowset.records.each do |record|
      decode_ipfix(flowset, record).each { |event| yield(event) }
    end
#     end
  else
    @logger.warn("Unsupported Netflow version v#{header.version}")
  end
#   end
rescue BinData::ValidityError, IOError => e
  @logger.warn("Invalid netflow packet received (#{e})")
end

#registerObject 



64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
# File 'lib/logstash/codecs/netflow.rb', line 64

def register
  require "logstash/codecs/netflow/util"
  @netflow_templates = Vash.new()
  @ipfix_templates = Vash.new()

  # Path to default Netflow v9 field definitions
  filename = ::File.expand_path('netflow/netflow.yaml', ::File.dirname(__FILE__))
  @netflow_fields = load_definitions(filename, @netflow_definitions)

  # Path to default IPFIX field definitions
  filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
  @ipfix_fields = load_definitions(filename, @ipfix_definitions)

  if @cache_save_path
    if @versions.include?(9)
      cache_save_file_netflow = "#{@cache_save_path}/netflow_templates.cache"
      if File.exists?(cache_save_file_netflow)
        raise "#{self.class.name}: Template cache file #{cache_save_file_netflow} not writable" unless File.writable?(cache_save_file_netflow)
        @netflow_templates_cache = load_templates_cache("#{@cache_save_path}/netflow_templates.cache")
        @netflow_templates_cache.each{ |key, fields| @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
      else
        raise "#{self.class.name}: Template cache directory #{cache_save_path} not writable" unless File.writable?(cache_save_path)
        @netflow_templates_cache = {}
      end
    end

    if @versions.include?(10)
      cache_save_file_ipfix = "#{@cache_save_path}/ipfix_templates.cache"
      if File.exists?(cache_save_file_ipfix)
        raise "#{self.class.name}: Template cache file #{cache_save_file_ipfix} not writable" unless File.writable?(cache_save_file_ipfix)
        @ipfix_templates_cache = load_templates_cache("#{@cache_save_path}/ipfix_templates.cache")
        @ipfix_templates_cache.each{ |key, fields| @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
      else
        raise "#{self.class.name}: Template cache directory #{cache_save_path} not writable" unless File.writable?(cache_save_path)
        @ipfix_templates_cache = {}
      end
    end
  end
end