Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #15449 to 7.x: [Filebeat] Fixes for NetFlow v9 devices from various vendors #15554

Merged
merged 1 commit into from
Jan 14, 2020
Merged

Cherry-pick #15449 to 7.x: [Filebeat] Fixes for NetFlow v9 devices from various vendors #15554

merged 1 commit into from
Jan 14, 2020

Conversation

adriansr
Copy link
Contributor

Cherry-pick of PR #15449 to 7.x branch. Original message:

A few problems have been identified in some Cisco devices that use NetFlow v9:

  • Options template without scope fields: This was treated as an invalid template (it is under IPFIX) but it's valid under Netflow v9.
  • Some fields are not recognized (34000,35001,35007, etc.)
  • Field classId in templates is out of bounds.
  • Bytes/pkts counters from some devices are not recognised (Cisco ASA, other NSEL, Huawei-Netstream).

Fixes: #14212

@adriansr
[Filebeat] Fixes for NetFlow v9 devices from various vendors (elastic…
3252d24 
…#15449)

- Allow for zero scope fields in options template

NetFlow v9 spec allows for options templates that contain no scope
fields. The netflow input was treating this case as an error and
discarding the template, but that is only applicable to IPFIX.

- Use additional fields to populate bytes/pkt counters

Some devices out there (Cisco NSEL) use fields 231/232 as bytes
counters, when those are supposed to be layer 4 payload counters.

This updates the ECS fields populator to use those fields when the
expected ones are not found.

- Support a classId of 32 bits

While the spec mandates a classId of 8 bits, some Cisco ASA devices
actually use a 32 bit version of this field.

This patches the field to allow up to 32-bit integers and updates the
index pattern to use `long` for the `netflow.class_id` field.

- Add more fields from v9 Cisco devices

Fixes elastic#14212

(cherry picked from commit c3a3604)
leehinman
leehinman approved these changes Jan 14, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@adriansr adriansr merged commit a8bb181 into elastic:7.x Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adriansr @kaiyan-sheng @leehinman