Added test for Fortigate FortiOS 5.2

Author: jorritfolmer

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 3.5.2
+
+  - Added test for Fortigate FortiOS 5.2 (Netflow v9)
+  - Clarified confusing warning about missing templates
+
 ## 3.5.1
 
   - Added test for Barracuda firewall (IPFIX)

CONTRIBUTORS

@@ -9,6 +9,7 @@ Contributors:
 * Diyaldine Maoulida
 * Evgeniy Sudyr (ejectck)
 * G.J. Moed (gjmoed)
+* GMoz
 * Jordan Sissel (jordansissel)
 * Jorrit Folmer (jorritfolmer)
 * Keenan Tims (ktims)

docs/index.asciidoc

@@ -24,56 +24,46 @@ The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
 
 ==== Supported Netflow/IPFIX exporters
 
+This codec supports:
+
+* Netflow v5
+* Netflow v9
+* IPFIX
+
 The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
 
 [cols="6,^2,^2,^2,12",options="header"]
 |===========================================================================================
-|Netflow exporter      | v5 | v9 | IPFIX | Remarks
-|Softflowd             |  y | y  |   y   | IPFIX supported in http://github.com/djmdjm/softflowd
-|nProbe                |  y | y  |   y   |  
-|ipt_NETFLOW           |  y | y  |   y   |
-|Cisco ASA             |    | y  |       |  
-|Cisco IOS 12.x        |    | y  |       |  
-|fprobe                |  y |    |       |
-|Juniper MX80          |  y |    |       | SW > 12.3R8
-|OpenBSD pflow         |  y | n  |   y   | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
-|Mikrotik 6.35.4       |  y |    |   n   | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
-|Ubiquiti Edgerouter X |    | y  |       | With MPLS labels
-|Citrix Netscaler      |    |    |   y   | Still some unknown fields, labeled netscalerUnknown<id>
+|Netflow exporter         | v5 | v9 | IPFIX | Remarks
+|Barracuda Firewall       |    |    |   y   |
+|Cisco ASA                |    | y  |       |  
+|Cisco ASR                |    | y  |       |  
+|Cisco IOS 12.x           |    | y  |       |  
+|Cisco WLC                |    | y  |       |
+|Citrix Netscaler         |    |    |   y   | Still some unknown fields, labeled netscalerUnknown<id>
+|fprobe                   |  y |    |       |
+|Fortigate FortiOS 5.2    |    | y  |       |
+|ipt_NETFLOW              |  y | y  |   y   |
+|Juniper MX80             |  y |    |       | SW > 12.3R8
+|Mikrotik 6.35.4          |  y |    |   n   | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
+|nProbe                   |  y | y  |   y   |  
+|OpenBSD pflow            |  y | n  |   y   | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
+|Softflowd                |  y | y  |   y   | IPFIX supported in http://github.com/djmdjm/softflowd
+|Streamcore Streamgroomer |    | y  |       |
+|Ubiquiti Edgerouter X    |    | y  |       | With MPLS labels
+|VMware VDS               |    |    |   y   | Still some unknown fields
 |===========================================================================================
 
 ==== Usage
 
-Example Logstash configuration:
+Example Logstash configuration that will listen on 2055/udp for Netflow v5,v9 and IPFIX:
 
 [source, ruby]
 --------------------------
 input {
   udp {
-    host => localhost
     port => 2055
-    codec => netflow {
-      versions => [5, 9]
-    }
-    type => netflow
-  }
-  udp {
-    host => localhost
-    port => 4739
-    codec => netflow {
-      versions => [10]
-      target => ipfix
-   }
-   type => ipfix
-  }
-  tcp {
-    host => localhost
-    port => 4739
-    codec => netflow {
-      versions => [10]
-      target => ipfix
-    }
-    type => ipfix
+    codec => netflow
   }
 }
 --------------------------

lib/logstash/codecs/netflow.rb

@@ -5,63 +5,7 @@
 #require "logstash/json"
 require "json"
 
-# The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
-#
-# ==== Supported Netflow/IPFIX exporters
-#
-# The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
-#
-# [cols="6,^2,^2,^2,12",options="header"]
-# |===========================================================================================
-# |Netflow exporter      | v5 | v9 | IPFIX | Remarks
-# |Softflowd             |  y | y  |   y   | IPFIX supported in http://github.com/djmdjm/softflowd
-# |nProbe                |  y | y  |   y   |  
-# |ipt_NETFLOW           |  y | y  |   y   |
-# |Cisco ASA             |    | y  |       |  
-# |Cisco IOS 12.x        |    | y  |       |  
-# |fprobe                |  y |    |       |
-# |Juniper MX80          |  y |    |       | SW > 12.3R8
-# |OpenBSD pflow         |  y | n  |   y   | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
-# |Mikrotik 6.35.4       |  y |    |   n   | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
-# |Ubiquiti Edgerouter X |    | y  |       | With MPLS labels
-# |Citrix Netscaler      |    |    |   y   | Still some unknown fields, labeled netscalerUnknown<id>
-# |===========================================================================================
-#
-# ==== Usage
-#
-# Example Logstash configuration:
-#
-# [source, ruby]
-# --------------------------
-# input {
-#   udp {
-#     host => localhost
-#     port => 2055
-#     codec => netflow {
-#       versions => [5, 9]
-#     }
-#     type => netflow
-#   }
-#   udp {
-#     host => localhost
-#     port => 4739
-#     codec => netflow {
-#       versions => [10]
-#       target => ipfix
-#    }
-#    type => ipfix
-#   }
-#   tcp {
-#     host => localhost
-#     port => 4739
-#     codec => netflow {
-#       versions => [10]
-#       target => ipfix
-#     }
-#     type => ipfix
-#   }
-# }
-# --------------------------
+# Documentation moved to docs/
 
 class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   config_name "netflow"
@@ -87,42 +31,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   config :versions, :validate => :array, :default => [5, 9, 10]
 
   # Override YAML file containing Netflow field definitions
-  #
-  # Each Netflow field is defined like so:
-  #
-  # [source,yaml]
-  # --------------------------
-  # id:
-  # - default length in bytes
-  # - :name
-  # id:
-  # - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
-  # - :name
-  # id:
-  # - :skip
-  # --------------------------
-  #
-  # See <http://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml> for the base set.
   config :netflow_definitions, :validate => :path
 
   # Override YAML file containing IPFIX field definitions
-  #
-  # Very similar to the Netflow version except there is a top level Private
-  # Enterprise Number (PEN) key added:
-  #
-  # [source,yaml]
-  # --------------------------
-  # pen:
-  # id:
-  # - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
-  # - :name
-  # id:
-  # - :skip
-  # --------------------------
-  #
-  # There is an implicit PEN 0 for the standard fields.
-  #
-  # See <http://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml> for the base set.
   config :ipfix_definitions, :validate => :path
 
   NETFLOW5_FIELDS = ['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records']

spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat

@@ -966,6 +966,76 @@
 
   end
 
+  context "Netflow 9 Fortigate FortiOS 5.2.1" do
+    let(:data) do
+      packets = []
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_fortigate_fortios_521_tpl.dat"), :mode => "rb")
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_fortigate_fortios_521_data256.dat"), :mode => "rb")
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_fortigate_fortios_521_data257.dat"), :mode => "rb")
+    end
+
+    let(:json_events) do
+      events = []
+      events << <<-END
+        {
+          "netflow": {
+            "flow_seq_num": 13641,
+            "scope_system": 1,
+            "total_bytes_exp": 6871319015,
+            "total_flows_exp": 107864,
+            "flow_active_timeout": 1800,
+            "flow_inactive_timeout": 15,
+            "flowset_id": 256,
+            "total_pkts_exp": 11920854,
+            "version": 9,
+            "sampling_algorithm": 1,
+            "sampling_interval": 1
+          },
+          "@timestamp": "2017-07-18T05:42:14.000Z",
+          "@version": "1"
+        }
+        END
+
+      events << <<-END
+        {
+          "netflow": {
+            "output_snmp": 3,
+            "in_pkts": 3,
+            "ipv4_dst_addr": "31.13.87.36",
+            "first_switched": "2017-07-25T04:44:29.999Z",
+            "flowset_id": 257,
+            "l4_src_port": 61910,
+            "version": 9,
+            "flow_seq_num": 13635,
+            "ipv4_src_addr": "192.168.99.7",
+            "in_bytes": 152,
+            "protocol": 6,
+            "last_switched": "2017-07-25T04:44:38.999Z",
+            "input_snmp": 9,
+            "out_pkts": 0,
+            "out_bytes": 0,
+            "l4_dst_port": 443
+          },
+          "@timestamp": "2017-07-18T05:41:59.000Z",
+          "@version": "1"
+        }
+        END
+      events.map{|event| event.gsub(/\s+/, "")}
+    end
+
+    it "should decode raw data" do
+      expect(decode.size).to eq(2)
+      expect(decode[0].get("[netflow][total_bytes_exp]")).to eq(6871319015)
+      expect(decode[1].get("[netflow][ipv4_src_addr]")).to eq("192.168.99.7")
+    end
+
+    it "should serialize to json" do
+      expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
+      expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[1]))
+    end
+
+  end
+
   context "Netflow 9 Streamcore" do
     let(:data) do
       packets = []