Updating the logstash configuration to handle asa#10001
Updating the logstash configuration to handle asa#10001toddferg wants to merge 1 commit intoelastic:mainfrom toddferg:master
Conversation
Cisco ASA sends in fwd_flow_delta_bytes and rev_flow_delta_bytes for bytes, and initiatorPackets and responderPackets for packets. Just normalizing it.
yaauie
left a comment
yaauie
left a comment
There was a problem hiding this comment.
Thanks for the contribution 🎉
I've left a couple comments about fixing this up, mostly about ordering to ensure we don't change the behaviour of existing flows.
| rename => { "[netflow][fwd_flow_delta_bytes]" => "[netflow][bytes]" } | ||
| } | ||
| } | ||
| if [netflow][rev_flow_delta_bytes] { |
There was a problem hiding this comment.
should be else if -- we don't want to overwrite the value unnecessarily if both are present.
|
|
||
| # Populate bytes transferred in the flow. | ||
|
|
||
| if [netflow][fwd_flow_delta_bytes] { |
There was a problem hiding this comment.
In order to preserve behaviour when flow includes these values and one of the other values that could write [netflow][bytes], these should be added at the tail of the else if chain.
We should only take one of these paths after observing the absence of [netflow][in_bytes], [netflow][out_bytes], and [netflow][in_permanent_bytes].
There was a problem hiding this comment.
IIRC, during Support Summit I handled a ticket where the user had extracted this pipeline and encountered this issue exactly (it may have been Todd's ticket). The Cisco ASA pcap showed that fwd_flow_delta_bytes and rev_flow_delta_bytes were both present and not necessary equal. Same with initiatorPackets, responderPackets, initiatorOctets and responderOctets
From a Cisco Community Support ticket
New fields 231 (initiatorOctets) and 232 (responderOctets) will replace field 85 (IN_PERMANENT_BYTES) along with real-time flow update support in 8.4(5) and later software. However, it may take a bit for third-party Netflow Collectors to pick up these new fields as they come from IPFIX rather than legacy Netflow V9 world.
See what Robert Cowart did here
| } | ||
|
|
||
| # Populate packets transferred in the flow. | ||
| if [netflow][initiatorPackets] { |
There was a problem hiding this comment.
Similarly here, these two clauses should be else if-joined and should be at the tail of the else if chain.
|
This pull request does not have a backport label. Could you fix it @toddferg? 🙏
|
|
|
mergify
bot
added
the
backport-8.x
4 participants
Cisco ASA sends in fwd_flow_delta_bytes and rev_flow_delta_bytes for bytes, and initiatorPackets and responderPackets for packets. Just normalizing it.
Should fix logstash-plugins/logstash-codec-netflow#112