Updating the logstash configuration to handle asa #10001

toddferg · 2018-09-18T20:00:21Z

Cisco ASA sends in fwd_flow_delta_bytes and rev_flow_delta_bytes for bytes, and initiatorPackets and responderPackets for packets. Just normalizing it.

Should fix logstash-plugins/logstash-codec-netflow#112

Cisco ASA sends in fwd_flow_delta_bytes and rev_flow_delta_bytes for bytes, and initiatorPackets and responderPackets for packets. Just normalizing it.

yaauie

Thanks for the contribution 🎉

I've left a couple comments about fixing this up, mostly about ordering to ensure we don't change the behaviour of existing flows.

yaauie · 2018-09-18T22:49:19Z

modules/netflow/configuration/logstash/netflow.conf.erb

+                rename => { "[netflow][fwd_flow_delta_bytes]" => "[netflow][bytes]" }
+            }
+        }
+        if [netflow][rev_flow_delta_bytes] {


should be else if -- we don't want to overwrite the value unnecessarily if both are present.

yaauie · 2018-09-18T22:50:35Z

modules/netflow/configuration/logstash/netflow.conf.erb

@@ -182,6 +182,19 @@ filter {
        }

        # Populate bytes transferred in the flow.
+
+        if [netflow][fwd_flow_delta_bytes] {


In order to preserve behaviour when flow includes these values and one of the other values that could write [netflow][bytes], these should be added at the tail of the else if chain.

We should only take one of these paths after observing the absence of [netflow][in_bytes], [netflow][out_bytes], and [netflow][in_permanent_bytes].

IIRC, during Support Summit I handled a ticket where the user had extracted this pipeline and encountered this issue exactly (it may have been Todd's ticket). The Cisco ASA pcap showed that fwd_flow_delta_bytes and rev_flow_delta_bytes were both present and not necessary equal. Same with initiatorPackets, responderPackets, initiatorOctets and responderOctets

From a Cisco Community Support ticket

New fields 231 (initiatorOctets) and 232 (responderOctets) will replace field 85 (IN_PERMANENT_BYTES) along with real-time flow update support in 8.4(5) and later software. However, it may take a bit for third-party Netflow Collectors to pick up these new fields as they come from IPFIX rather than legacy Netflow V9 world.

See what Robert Cowart did here

yaauie · 2018-09-18T22:51:30Z

modules/netflow/configuration/logstash/netflow.conf.erb

@@ -206,6 +219,18 @@ filter {
        }

        # Populate packets transferred in the flow.
+        if [netflow][initiatorPackets] {


Similarly here, these two clauses should be else if-joined and should be at the tail of the else if chain.

Updating the logstash configuration to handle asa

72a6a6c

Cisco ASA sends in fwd_flow_delta_bytes and rev_flow_delta_bytes for bytes, and initiatorPackets and responderPackets for packets. Just normalizing it.

toddferg added modules NetFlow module labels Sep 18, 2018

yaauie requested changes Sep 18, 2018

View reviewed changes

roaksoax added the revisit label Mar 6, 2020

roaksoax added the status:changes-requested label Apr 5, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Updating the logstash configuration to handle asa #10001

Updating the logstash configuration to handle asa #10001

toddferg commented Sep 18, 2018

yaauie left a comment

yaauie Sep 18, 2018

yaauie Sep 18, 2018

guyboertje Sep 21, 2018

yaauie Sep 18, 2018

Updating the logstash configuration to handle asa #10001

Are you sure you want to change the base?

Updating the logstash configuration to handle asa #10001

Conversation

toddferg commented Sep 18, 2018

yaauie left a comment

Choose a reason for hiding this comment

yaauie Sep 18, 2018

Choose a reason for hiding this comment

yaauie Sep 18, 2018

Choose a reason for hiding this comment

guyboertje Sep 21, 2018

Choose a reason for hiding this comment

yaauie Sep 18, 2018

Choose a reason for hiding this comment