Added support for Cisco WLC, closes #78

logstash-plugins · Jun 23, 2017 · 3792c6e · 3792c6e
1 parent 97c7ae8
commit 3792c6e
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 3.5.0
+
+  - Added support for Cisco WLC (Netflow v9)
+
+## 3.4.0
+
+  - Added support for Cisco NBAR (Netflow v9)
+
 ## 3.3.0
 
   - Added support for Cisco ASR 9000 (Netflow v9)

diff --git a/CONTRIBUTORS b/CONTRIBUTORS
@@ -20,6 +20,7 @@ Contributors:
 * Richard Pijnenburg (electrical)
 * Salvador Ferrer (salva-ferrer)
 * Will Rigby (wrigby)
+* Yehonatan Devorkin (Devorkin)
 * Rojuinex
 * debadair
 * hkshirish

diff --git a/lib/logstash/codecs/netflow/netflow.yaml b/lib/logstash/codecs/netflow/netflow.yaml
@@ -232,9 +232,15 @@
 96:
 - :string
 - :application_name
+98:
+- :uint8
+- :postIpDiffServCodePoint
 136:
 - :uint8
 - :flow_end_reason
+147:
+- :string
+- :wlanSSID
 148:
 - :uint32
 - :conn_id
@@ -325,6 +331,15 @@
 362:
 - :uint16
 - :postNATPortBlockEnd
+365:
+- :mac_addr
+- :staMacAddress
+366:
+- :ip4_addr
+- :staIPv4Address
+367:
+- :mac_addr
+- :wtpMacAddress
 8192:
 - :uint32
 - :streamcore_wan_rtt

diff --git a/logstash-codec-netflow.gemspec b/logstash-codec-netflow.gemspec
@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-netflow'
-  s.version         = '3.4.1'
+  s.version         = '3.5.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

diff --git a/spec/codecs/netflow9_test_cisco_wlc_data261.dat b/spec/codecs/netflow9_test_cisco_wlc_data261.dat
diff --git a/spec/codecs/netflow9_test_cisco_wlc_tpl.dat b/spec/codecs/netflow9_test_cisco_wlc_tpl.dat
diff --git a/spec/codecs/netflow_spec.rb b/spec/codecs/netflow_spec.rb
@@ -1698,6 +1698,51 @@
     end
   end
 
+  context "Netflow 9 Cisco WLC" do
+    let(:data) do
+      packets = []
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_wlc_tpl.dat"), :mode => "rb")
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_wlc_data261.dat"), :mode => "rb")
+    end
+
+    let(:json_events) do
+      events = []
+      events << <<-END
+        {
+          "netflow": {
+            "ip_dscp": 0,
+            "in_pkts": 53362,
+            "wtpMacAddress": "00:f6:63:cc:80:60",
+            "staMacAddress": "34:02:86:75:c0:51",
+            "flowset_id": 261,
+            "version": 9,
+            "application_id": "13:431",
+            "flow_seq_num": 78,
+            "in_bytes": 80973880,
+            "postIpDiffServCodePoint": 0,
+            "wlanSSID": "Test-env",
+            "staIPv4Address": "192.168.20.121",
+            "direction": 1
+          },
+          "@timestamp": "2017-06-22T06:31:14.000Z",
+          "@version": "1"
+        }
+        END
+      events.map{|event| event.gsub(/\s+/, "")}
+    end
+
+    it "should decode raw data" do
+      expect(decode.size).to eq(19)
+      expect(decode[18].get("[netflow][application_id]")).to eq("13:431")
+    end
+
+    it "should serialize to json" do
+      expect(JSON.parse(decode[18].to_json)).to eq(JSON.parse(json_events[0]))
+    end
+  end
+
+
+
 end
 
 describe LogStash::Codecs::Netflow, 'missing templates, no template caching configured' do