diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d2c6aa..edfd5b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## 3.5.0 + + - Added support for Cisco WLC (Netflow v9) + +## 3.4.0 + + - Added support for Cisco NBAR (Netflow v9) + ## 3.3.0 - Added support for Cisco ASR 9000 (Netflow v9) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 9c75056..03dda04 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -20,6 +20,7 @@ Contributors: * Richard Pijnenburg (electrical) * Salvador Ferrer (salva-ferrer) * Will Rigby (wrigby) +* Yehonatan Devorkin (Devorkin) * Rojuinex * debadair * hkshirish diff --git a/lib/logstash/codecs/netflow/netflow.yaml b/lib/logstash/codecs/netflow/netflow.yaml index e952369..db0b382 100644 --- a/lib/logstash/codecs/netflow/netflow.yaml +++ b/lib/logstash/codecs/netflow/netflow.yaml @@ -232,9 +232,15 @@ 96: - :string - :application_name +98: +- :uint8 +- :postIpDiffServCodePoint 136: - :uint8 - :flow_end_reason +147: +- :string +- :wlanSSID 148: - :uint32 - :conn_id @@ -325,6 +331,15 @@ 362: - :uint16 - :postNATPortBlockEnd +365: +- :mac_addr +- :staMacAddress +366: +- :ip4_addr +- :staIPv4Address +367: +- :mac_addr +- :wtpMacAddress 8192: - :uint32 - :streamcore_wan_rtt diff --git a/logstash-codec-netflow.gemspec b/logstash-codec-netflow.gemspec index 6c6f44c..5cc43a6 100644 --- a/logstash-codec-netflow.gemspec +++ b/logstash-codec-netflow.gemspec @@ -1,7 +1,7 @@ Gem::Specification.new do |s| s.name = 'logstash-codec-netflow' - s.version = '3.4.1' + s.version = '3.5.0' s.licenses = ['Apache License (2.0)'] s.summary = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows." s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" diff --git a/spec/codecs/netflow9_test_cisco_wlc_data261.dat b/spec/codecs/netflow9_test_cisco_wlc_data261.dat new file mode 100644 index 0000000..0f117ad Binary files /dev/null and b/spec/codecs/netflow9_test_cisco_wlc_data261.dat differ diff --git a/spec/codecs/netflow9_test_cisco_wlc_tpl.dat b/spec/codecs/netflow9_test_cisco_wlc_tpl.dat new file mode 100644 index 0000000..46de8d9 Binary files /dev/null and b/spec/codecs/netflow9_test_cisco_wlc_tpl.dat differ diff --git a/spec/codecs/netflow_spec.rb b/spec/codecs/netflow_spec.rb index ca96565..73490f2 100644 --- a/spec/codecs/netflow_spec.rb +++ b/spec/codecs/netflow_spec.rb @@ -1698,6 +1698,51 @@ end end + context "Netflow 9 Cisco WLC" do + let(:data) do + packets = [] + packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_wlc_tpl.dat"), :mode => "rb") + packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_wlc_data261.dat"), :mode => "rb") + end + + let(:json_events) do + events = [] + events << <<-END + { + "netflow": { + "ip_dscp": 0, + "in_pkts": 53362, + "wtpMacAddress": "00:f6:63:cc:80:60", + "staMacAddress": "34:02:86:75:c0:51", + "flowset_id": 261, + "version": 9, + "application_id": "13:431", + "flow_seq_num": 78, + "in_bytes": 80973880, + "postIpDiffServCodePoint": 0, + "wlanSSID": "Test-env", + "staIPv4Address": "192.168.20.121", + "direction": 1 + }, + "@timestamp": "2017-06-22T06:31:14.000Z", + "@version": "1" + } + END + events.map{|event| event.gsub(/\s+/, "")} + end + + it "should decode raw data" do + expect(decode.size).to eq(19) + expect(decode[18].get("[netflow][application_id]")).to eq("13:431") + end + + it "should serialize to json" do + expect(JSON.parse(decode[18].to_json)).to eq(JSON.parse(json_events[0])) + end + end + + + end describe LogStash::Codecs::Netflow, 'missing templates, no template caching configured' do