Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create input plugin for Cisco Netflow #140

Open
megastef opened this issue Sep 27, 2018 · 10 comments
Open

Create input plugin for Cisco Netflow #140

megastef opened this issue Sep 27, 2018 · 10 comments
Labels
Hacktoberfest input new plugin

Comments

@megastef
Copy link
Contributor

Monitoring Cisco router traffic with Netflow: https://github.com/delian/node-netflowv9
@skprabhanjan
Copy link

Can i work on this issue?
A starter for this would be really helpful :)

@megastef
Copy link
Contributor Author

megastef commented Oct 8, 2018
edited
Loading

Yes. Once you have test data it would be nice to share (e.g. as JSON file to simulate tests). You can find input plugins examples here:
https://github.com/sematext/logagent-js/tree/master/lib/plugins/input

See e.g TCP input plugin.
Docs: https://sematext.com/docs/logagent/input-plugin-tcp/
Source code: https://github.com/sematext/logagent-js/blob/master/lib/plugins/input/tcp.js
The key functions are here:

  1. A constructor with config and eventEmitter as parameters:
function InputNetflow (config, eventEmitter) {
  this.eventEmitter = eventEmitter
  this.config = config
}
  1. A start and stop function for the plugin.
InputNetflow.prototype.start = function () {
  if (!this.started) {
    this.createServer()
    this.started = true
  }
}

InputNetflow.prototype.stop = function (cb) {
  this.server.close(cb)
}
  1. Received data should be emitted as JSON string as "raw" event including a "context" object with log source meta data. The context object should include a "sourceName" to identify log source.
var context = { name: 'input.netflow', sourceName: self.config.sourceName || socket.remoteAddress + ':' + socket.remotePort, serverPort: self.config.port }```
self.eventEmitter.emit('data.raw', fastSafeStringify(data), context)

An alternative would be to use 'data.parsed' events - but then input-filter plugins would be skipped, and no need for JSON serialisation/deserialisation.

self.eventEmitter.emit('data.parsed', data, context)

Once the plugin is working you could create an alias for the module loading like this one:
https://github.com/sematext/logagent-js/blob/master/bin/logagent.js#L36

And add documentation to the documentation (but we can help with it as well):
https://github.com/sematext/docs/tree/master/docs/logagent
If you like we can create Hactoberfest task for it in sematext/docs too.

@otisg
Copy link
Member

otisg commented Oct 22, 2018

@skprabhanjan Do you still intend to work on this?

@skprabhanjan
Copy link

@otisg ,Sorry for the delay, I will try to work on this but if someone else is willing then they can work on this and submit a PR.
Thanks :)

@Khodesaeed
Copy link

@otisg Can I start working on this issue?

@otisg
Copy link
Member

otisg commented Dec 3, 2021

@Khodesaeed Certainly, thanks!

@Khodesaeed
Copy link

Hi,
I've accomplished to receive netflow packets and store them in file,elasticsearch, and opensearch output via this package.
I need someone to review my code. Do I have to open a pull request? @otisg

@otisg
Copy link
Member

otisg commented Dec 20, 2021
edited
Loading

Sounds good. Would be great to have some tests included, too.

@Khodesaeed
Copy link

I'll work on it. @otisg

@Khodesaeed
Copy link

#294

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Hacktoberfest input new plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@otisg @megastef @skprabhanjan @Khodesaeed