Key used to store Netflow v9 templates is not guaranteed to be unique per template #9
Comments
wrigby
changed the title
|
I'm fairly sure I did that when I initially wrote this filter^Wcodec. I think it's fairly easy to get a collision by just having two or more bits of identical hardware as they will probably use the same source ID. Also from my experience devices tend to start with a template ID of 256 and count up. However, if they're identical hardware chances are the templates will be identical also so you'll just play last-man-wins as and when they refresh their templates but I agree, the source IP should really be used as part of the hash key. |
|
@bodgit that's what I've seen in practice - all of our devices are exporting the same templates anyway, so it's a non-issue right now for my deployment. It's something I noticed when hacking on support for MPLS labels (#5), so I figured I would record it here for future reference in case it does end up biting someone. I think it may prompt some discussion about the right way for an input to pass metadata to a codec. |
Of course, when this was originally a filter it had access to the original event. That explains things. |
|
Ah, it makes much more sense now. I had a suspicion that was the case, given the comments that are in there. Thanks for the clarification! |
|
What have been the reasons to change this plugin from filter to codec? I couldn't find any through Google. Not having the source IP information available makes this codec ignore a "should" or "recommended" statement in the RFC. Currently, if you're unlucky enough to find yourself in a heterogeneous netflow environment, you cannot simple erect one Logstash instance, you're forced to create multiple individual Logstash instances to avoid netflow template collisions. I don't think we should settle for that, unless there are good reasons of course. |
|
I think it makes sense for it to be a codec, by the idealized definition of a codec and a filter (a codec being the component that deals with serializing/deserializing data to/from a wire protocol), but it unfortunately gets us into this ambiguous template key situation. From my naive point of view, I think the best solution may be to provide a mechanism in the logstash core for inputs to provide metadata to the codecs that are decoding their payloads. |
|
Ah yes ok that makes sense, thanks for your explanation. |
|
For easy reference: current issues (both open/closed) already in logstash repo that touch on codecs and/or metadata: elastic/logstash#3725: Split Codecs into Encoders and Decoders |
|
I've added commit jorritfolmer@fca329f7a2b4845020d26c925540851093ba61f1 to address this, as experienced in issue #21. Besides the above commit, it also requires a small patch to logstash-input-udp, to send metadata to the codec, as per #21 (comment): --- a/lib/logstash/inputs/udp.rb
+++ b/lib/logstash/inputs/udp.rb
@@ -30,6 +30,9 @@ class LogStash::Inputs::Udp < LogStash::Inputs::Base
# before packets will start dropping.
config :queue_size, :validate => :number, :default => 2000
+ # Should the event's metadata be included?
+ config :metadata, :validate => :boolean, :default => false
+
public
def initialize(params)
super
@@ -92,10 +95,21 @@ class LogStash::Inputs::Udp < LogStash::Inputs::Base
while true
payload, client = @input_to_worker.pop
- @codec.decode(payload) do |event|
- decorate(event)
- event["host"] ||= client[3]
- @output_queue.push(event)
+ if @metadata
+ metadata_to_codec = {}
+ metadata_to_codec["port"] = client[1]
+ metadata_to_codec["host"] = client[3]
+ @codec.decode(payload, metadata_to_codec) do |event|
+ decorate(event)
+ event["host"] ||= client[3]
+ @output_queue.push(event)
+ end
+ else
+ @codec.decode(payload) do |event|
+ decorate(event)
+ event["host"] ||= client[3]
+ @output_queue.push(event)
+ end
end
end
rescue => eand an extra metadata => true parameter to the logstash config like this: Feedback on this is more than welcome! |
|
Not sure how I missed all the work you put into this @jorritfolmer - looks great; I'll try to test it out in the next week. I came across elastic/logstash#4289, which proposes a similar fix. |
|
There has been an update to elastic/logstash#4289. With regard to the netflow codec needing packet metadata, I quote Guy Boertje from that thread:
|
|
Following up on the suggestion of @guyboertje, I've started with the transition from codec to logstash-input-netflow in the branch It works! There is still work to be done however in the rspec department, and we'll probably need to support more than udp only. |
|
@jorritfolmer - good news indeed. Ping me if you need any help. |
|
@jorritfolmer @guyboertje - Let me know if you guys need help, too. I'm a Ruby noob, but I definitely wouldn't mind helping out. Unfortunately, I'm at a different company now (outside of the telco space), so I don't have any test data anymore :( |
|
Small status update: I've finished work on logstash-input-netflow, which is waiting as a PR here However @jordansissel pointed out that this move to input plugin isn't necessary with the availability of something called Identiy Map Codec, which is meant to support a use-case like ours here, while keeping the netflow plugin a codec. I haven't had time to further dig into Identity Map Codec though. It will also require an update to logstash-input-udp. As I understand it, we should be passing src_ip+port as "identity" to the Identity Map Codec, which will clone a codec for each src_ip+port combination. This will take care of keeping Netflow templates separate and prevent template corruption and overwriting as is the case with e.g. issue #21. It seems we could copy paste identity_map_codec.rb from the logstash-codec-multiline, as it isn't available in the main Logstash repo. |
|
Great! This issue and issue #21 are gone with identity map codec. It doesn't require modifications to our codec, just a couple of lines in logstash-input-udp. I'll create a PR there next week or so. |
|
Update: This will be addressed in the migration to logstash-plugins/logstash-input-netflow#1. |
|
Hello, is there any update regarding this issue and any plans to release logstash-input-netflow? |
|
Issue is still there. |
|
I see udp.rb (v6.2) has changed so above metadata patch is no longer directly appliable. It worked with 5.5. So question is what is the status now with 6.2. Do we need meta-data? Please update front-page or readme.md the information how multi-ip-templates are to be made working |
|
hi, could you please provide metadata udp input patch also for 6.2 version ? |
I've found your patch for the more recent logstash udp.rb code and applied it to my platform (processing 2500 flows / sec) and it fixed all the bandwidth/pps and invalid protocol/incoherent data display (Mostly cisco environment, same models) for my environment. I'm running the latest github data dump in a docker... this clearly resolved the reporting from the 7609s and ASRs in my environment. Thanks a lot for this metadata patch man. This saved me from going bonkers. |
|
This issue will be addressed once the following PRs are merged and released for the... Logstash UDP Input: logstash-plugins/logstash-input-udp#46 |
|
Thank you @robcowart As always, your work is very appreciated. |
|
Are there any News on this? Both referenced PRs are closed but not merged. |
This is a bit of an obscure one, and I don't know that it's actually causing anyone problems in production. I think it's very minor, but wanted to get it recorded somewhere and start a discussion in case it needs changing.
When NetFlow v9 template records come in, they're stored in a hash, with the key being a concatenation of the NetFlow Source ID field and the Template ID. (see https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow.rb#L144-L146)
However, the NetFlow spec states that NetFlow collectors should use the combination of the Source ID field and the IP address of the flow exporter:
(from RFC 3954)
(from Cisco's NetFlow v9 documentation) (emphasis added for clarity)
The text was updated successfully, but these errors were encountered: