Class: LogStash::Codecs::Netflow

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/codecs/netflow.rb

Overview

Documentation moved to docs/

Defined Under Namespace

Classes: TemplateRegistry

Constant Summary collapse

NETFLOW5_FIELDS = 
['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records']
NETFLOW9_FIELDS = 
['version', 'flow_seq_num']
NETFLOW9_SCOPES = 
{
  1 => :scope_system,
  2 => :scope_interface,
  3 => :scope_line_card,
  4 => :scope_netflow_cache,
  5 => :scope_template,
}
IPFIX_FIELDS = 
['version']
SWITCHED = 
/_switched$/
FLOWSET_ID = 
"flowset_id"

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ Netflow

Returns a new instance of Netflow.



52
53
54
55
 
# File 'lib/logstash/codecs/netflow.rb', line 52

def initialize(params = {})
  super(params)
  @threadsafe = true
end

Instance Method Details

#cloneObject 



57
58
59
 
# File 'lib/logstash/codecs/netflow.rb', line 57

def clone
  self
end

#decode(payload, metadata = nil, &block) ⇒ Object

def register



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 
# File 'lib/logstash/codecs/netflow.rb', line 76

def decode(payload, metadata = nil, &block)
#   BinData::trace_reading do
  header = Header.read(payload)

  unless @versions.include?(header.version)
    @logger.warn("Ignoring Netflow version v#{header.version}")
    return
  end

  if header.version == 5
    flowset = Netflow5PDU.read(payload)
    flowset.records.each do |record|
      yield(decode_netflow5(flowset, record))
    end
  elsif header.version == 9
#     BinData::trace_reading do
    flowset = Netflow9PDU.read(payload)
    flowset.records.each do |record|
      if metadata != nil
        decode_netflow9(flowset, record, metadata).each{|event| yield(event)}
      else
        decode_netflow9(flowset, record).each{|event| yield(event)}
      end
#      end
   end
  elsif header.version == 10
#     BinData::trace_reading do
    flowset = IpfixPDU.read(payload)
    flowset.records.each do |record|
      decode_ipfix(flowset, record).each { |event| yield(event) }
    end
#     end
  else
    @logger.warn("Unsupported Netflow version v#{header.version}")
  end
#   end
rescue BinData::ValidityError, IOError => e
  @logger.warn("Invalid netflow packet received (#{e})")
end

#registerObject 



61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'lib/logstash/codecs/netflow.rb', line 61

def register
  require "logstash/codecs/netflow/util"

  @netflow_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/netflow_templates.cache")
  @ipfix_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/ipfix_templates.cache")

  # Path to default Netflow v9 field definitions
  filename = ::File.expand_path('netflow/netflow.yaml', ::File.dirname(__FILE__))
  @netflow_fields = load_definitions(filename, @netflow_definitions)

  # Path to default IPFIX field definitions
  filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
  @ipfix_fields = load_definitions(filename, @ipfix_definitions)
end