Add Netflow integration 0.0.2 #338
Conversation
There was a problem hiding this comment.
This looks like a great start. To make this easier to review and faster to iterate I suggest the following: Open 2 separate PR's for cisco and netflow. And for each, lets get a very basic version in first, meaning for example only have a single dataset inside that only supports one input and then start iterating on it? This should allow us to move quicker.
dev/packages/example/cisco-1.0.0/dataset/asa/filebeat/config/input.yml
Outdated
Show resolved
Hide resolved
dev/packages/example/cisco-1.0.0/dataset/asa/filebeat/config/input.yml
Outdated
Show resolved
Hide resolved
dev/packages/example/cisco-1.0.0/dataset/asa/filebeat/module.yml
Outdated
Show resolved
Hide resolved
dev/packages/example/cisco-1.0.0/dataset/asa/agent/input/input.yml
Outdated
Show resolved
Hide resolved
dev/packages/example/cisco-1.0.0/dataset/ftd/agent/input/input.yml
Outdated
Show resolved
Hide resolved
dev/packages/example/netflow-1.0.0/dataset/log/agent/input/input.yml
Outdated
Show resolved
Hide resolved
|
Did you use the import-beats script? |
Yes, but I had to make changes according to the coredns package, which @ruflin asked me to follow. I will give it a try end-to-end once the fleet function is working in ingest manager. It was crashing Kibana when I tried it last time. |
When you notice that it crashed or generated dashboards in a wrong way, please open an issue and bring samples. It will help improve the generating process. |
| @@ -0,0 +1,14 @@ | |||
| {{#if input == "syslog"}} | |||
There was a problem hiding this comment.
What's the templating language used in these files?
@ruflin I think it would be nice to use the appropriate file extension for the template type (e.g. .erb, .j2, .mustache) to make it clear to editors (both the people and the tools).
There was a problem hiding this comment.
It is handlebars (reminds me off https://github.com/elastic/package-registry/issues/179). And the above is actually not valid handlebars :-( Having support for 2 inputs is coming here: #346
I agree we should probably adjust the file extension to make it better for the tooling. If we do, I wonder if we should the same for ingest pipeline files which reference an other pipeline. The challenge I see here is that 99% of the pipelines don't use it but a very few do. Does this still mean all should have to have a handlebars suffix or do we just check for both files?
There was a problem hiding this comment.
I think it would be easier if files that use templating had an extension that indicates it. Then when writing the code that uses the modules you know when you need to preprocess the file, and then you don't need to guess or unnecessarily preprocess every file like we do today in Beats.
There was a problem hiding this comment.
I wonder if supporting both types and not process would complicate the code? What is your concern about processing files that don't need processing?
There was a problem hiding this comment.
My concern is that you need to make sure you haven't used content that requires escaping in the templating language. So if you don't need those features you just call the file config.yml instead of config.yml.handlebars. Hopefully that isn't too much of issue in most files. Maybe we just process all files through the template engine for now, but put the template extension on them now.
I'd just be happy if my editor could easily recognize that these are template type X and recommend the appropriate plugin. 😄
There was a problem hiding this comment.
Should we go with config.yml.hbs or config.hbs? I skiped handlebars as it is very long and .hbs seems to work at least in my IDE too. I kind of like the two suffix so the end goal format is also in there.
There was a problem hiding this comment.
@ruflin if this is an update to the format of package, please open an issue in the repository for adjusting all packages.
There was a problem hiding this comment.
I introduced the .yml.hbs naming in this PR: #380
There was a problem hiding this comment.
@mtojek thanks for taking care of it. I assume this make the issue obsolete.
alakahakai
changed the title
|
Made this for netflow only. Will open another one for cisco. |
|
@alakahakai Let me know when it's ready for review. |
alakahakai
changed the title
| max_message_size: '{{this.max_message_size}}' | ||
| expiration_timeout: '{{this.expiration_timeout}}' | ||
| queue_size: {{this.queue_size}} | ||
| {{#if this.timeout}} |
There was a problem hiding this comment.
I'm stumbling over the this here. @mtojek do you know if this is necessary?
There was a problem hiding this comment.
This is already fixed, even though both forms (with/without this) are correct.
The previous implementation of processing stream configuration left this for consistency. If you upgrade to the new implementation, you will see a better formed file: https://github.com/elastic/package-registry/blob/master/dev/packages/beats/netflow-0.0.1/dataset/log/agent/stream/netflow.yml.hbs
| @@ -0,0 +1,3141 @@ | |||
| - name: '@timestamp' | |||
There was a problem hiding this comment.
Does this only contain the fields that are used by this dataset or is this all of ECS? The goal should be to only have the fields in here that are actually used.
There was a problem hiding this comment.
So using the netflow module as an example the fields consist of:
- some base filebeat fields that may not be in ECS (like input.type)
- all filebeat netflow input fields (some 400+ fields)
- a subset of ECS namespaces (like
agent,source,destination,network,event)
Very few of these fields are something that the module actually creates. This module basically brings together Filebeat with an Ingest Node pipeline to add geo location and autonomous system numbers. So keeping this module updated will be a lot of work. And since it depends on Filebeat's fields, this template will vary based on the Filebeat version.
So I wonder if it would be possible to list some dependent templates in addition to custom fields created by a module to create a composite. Like saying that for this module it depends on
- filebeat $automatic_version | include_namespaces(agent | netflow | input.type | source | destination)
- ECS 1.4 | include_namespaces(source | destination)
There was a problem hiding this comment.
@andrewkroh Nice diagram!
v2 Elasticsearch templates support components and one of the reasons we pushed for this is exactly the above problem. So long term, I'm pretty sure we will support this. Short term, I think we should get this into the development process. The current plan is to use the integrations repository for the development of the packages. There you could even use sysmlinks or whatever reference you need to in the end build the final package with all the files you need for the above. This keeps the final package simple for now.
I was not aware that netflow has 400+ fields (sounds like a lot) so in this case, the template will be pretty big in any case. Good news it is only the netflow template and does not affect anything else. Also it shouldn't be a problem if we have too many fields right now and later optimise as during update, the template will be overwritten.
There was a problem hiding this comment.
Yeah, I think some symlinks could accomplish this. Does the current module more allow for more than one fields file?
There was a problem hiding this comment.
you can have as many as you want as long as they end in .yml and are in the correct directory.
dev/packages/alpha/netflow-0.0.2/kibana/dashboard/34e26884-161a-4448-9556-43b5bf2f62a2.json
Outdated
Show resolved
Hide resolved
💚 Build Succeeded
Expand to view the summary
Build stats
|
|
Here are some spottings on my side:
|
This PR adds the Netflow integration as a replacement of the Filebeat netflow module.
Here are some screenshots of the ingest manager UI.