Class: LogStash::Codecs::Netflow

Inherits:
Base
  • Object
show all
Includes:
PluginMixins::EventSupport::EventFactoryAdapter
Defined in:
lib/logstash/codecs/netflow.rb

Defined Under Namespace

Classes: TemplateRegistry

Constant Summary collapse

NETFLOW5_FIELDS = 
['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records']
NETFLOW9_FIELDS = 
['version', 'flow_seq_num']
NETFLOW9_SCOPES = 
{
  1 => :scope_system,
  2 => :scope_interface,
  3 => :scope_line_card,
  4 => :scope_netflow_cache,
  5 => :scope_template,
}
IPFIX_FIELDS = 
['version']
SWITCHED = 
/_switched$/
FLOWSET_ID = 
"flowset_id"

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ Netflow

Returns a new instance of Netflow.



55
56
57
58
 
# File 'lib/logstash/codecs/netflow.rb', line 55

def initialize(params = {})
  super(params)
  @threadsafe = true
end

Instance Method Details

#cloneObject 



60
61
62
 
# File 'lib/logstash/codecs/netflow.rb', line 60

def clone
  self
end

#decode(payload, metadata = nil, &block) ⇒ Object

def register



79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'lib/logstash/codecs/netflow.rb', line 79

def decode(payload, metadata = nil, &block)
#   BinData::trace_reading do
  header = Header.read(payload)

  unless @versions.include?(header.version)
    @logger.warn("Ignoring Netflow version v#{header.version}")
    return
  end

  if header.version == 5
    flowset = Netflow5PDU.read(payload)
    flowset.records.each do |record|
      yield(decode_netflow5(flowset, record))
    end
  elsif header.version == 9
#     BinData::trace_reading do
    flowset = Netflow9PDU.read(payload)
    flowset.records.each do |record|
      if metadata != nil
        decode_netflow9(flowset, record, metadata).each{|event| yield(event)}
      else
        decode_netflow9(flowset, record).each{|event| yield(event)}
      end
#      end
   end
  elsif header.version == 10
#     BinData::trace_reading do
    flowset = IpfixPDU.read(payload)
    flowset.records.each do |record|
      decode_ipfix(flowset, record).each { |event| yield(event) }
    end
#     end
  else
    @logger.warn("Unsupported Netflow version v#{header.version}")
  end
#   end
rescue BinData::ValidityError, IOError => e
  @logger.warn("Invalid netflow packet received (#{e})")
end

#registerObject 



64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'lib/logstash/codecs/netflow.rb', line 64

def register
  require "logstash/codecs/netflow/util"

  @netflow_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/netflow_templates.cache")
  @ipfix_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/ipfix_templates.cache")

  # Path to default Netflow v9 field definitions
  filename = ::File.expand_path('netflow/netflow.yaml', ::File.dirname(__FILE__))
  @netflow_fields = load_definitions(filename, @netflow_definitions)

  # Path to default IPFIX field definitions
  filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
  @ipfix_fields = load_definitions(filename, @ipfix_definitions)
end