From e4e56ad70f61c87f51d06482fa931219a424f19a Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 1 Mar 2019 12:12:27 +0100 Subject: [PATCH] [Filebeat] [Netflow] fix field name conversion to snake case (#10950) Original field name conversion was buggy. (cherry picked from commit 85e470e8796f0f4b5798cc1f781af4f84f1c78b5) --- x-pack/filebeat/input/netflow/case.go | 24 +-- x-pack/filebeat/input/netflow/case_test.go | 36 +++++ ...IPFIX-Mikrotik-RouterOS-6.39.2.golden.json | 112 ++++++------- .../IPFIX-YAF-basic-with-applabel.golden.json | 8 +- .../IPFIX-vIPtela-with-VPN-id.golden.json | 2 +- .../golden/Netflow-9-Cisco-ASA-2.golden.json | 152 +++++++++--------- ...-9-Fortigate-FortiOS-54x-appid.golden.json | 72 ++++----- ...9-H3C-Netstream-with-varstring.golden.json | 2 +- 8 files changed, 225 insertions(+), 183 deletions(-) create mode 100644 x-pack/filebeat/input/netflow/case_test.go diff --git a/x-pack/filebeat/input/netflow/case.go b/x-pack/filebeat/input/netflow/case.go index 2dae04b4a0b..9a6e5f65954 100644 --- a/x-pack/filebeat/input/netflow/case.go +++ b/x-pack/filebeat/input/netflow/case.go @@ -14,7 +14,12 @@ import ( ) var fieldNameConverter = caseConverter{ - conversion: make(map[string]string), + conversion: map[string]string{ + // Special handled fields + + // VRFname should be VRFName + "VRFname": "vrf_name", + }, } type caseConverter struct { @@ -50,24 +55,24 @@ func (c *caseConverter) ToSnakeCase(orig record.Map) common.MapStr { // format. This function is tailored to some specifics of NetFlow field names. // Don't reuse it. func CamelCaseToSnakeCase(in string) string { - // Lowercase those few fields that are already snake-cased + // skip those few fields that are already snake-cased if strings.ContainsRune(in, '_') { return strings.ToLower(in) } out := make([]rune, 0, len(in)+4) runes := []rune(in) - upperStrike := 1 - for pos, r := range runes { + upperCount := 1 + for _, r := range runes { lr := unicode.ToLower(r) isUpper := lr != r if isUpper { - if upperStrike == 0 { + if upperCount == 0 { out = append(out, '_') } - upperStrike++ + upperCount++ } else { - if upperStrike > 2 { + if upperCount > 2 { // Some magic here: // NetFlow usually lowercases all but the first letter of an // acronym (Icmp) Except when it is 2 characters long: (IP). @@ -77,9 +82,10 @@ func CamelCaseToSnakeCase(in string) string { // postNATSourceIPv4Address : post_nat_source_ipv4_address // selectorIDTotalFlowsObserved : selector_id_total_flows_... out = append(out, '_') - out[pos], out[pos-1] = out[pos-1], out[pos] + n := len(out) - 1 + out[n], out[n-1] = out[n-1], out[n] } - upperStrike = 0 + upperCount = 0 } out = append(out, lr) } diff --git a/x-pack/filebeat/input/netflow/case_test.go b/x-pack/filebeat/input/netflow/case_test.go new file mode 100644 index 00000000000..b7faf8925f7 --- /dev/null +++ b/x-pack/filebeat/input/netflow/case_test.go @@ -0,0 +1,36 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package netflow + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestCamelCaseToSnakeCase(t *testing.T) { + for _, testCase := range [][2]string{ + {"aBCDe", "a_bc_de"}, + {"postNATSourceIPv4Address", "post_nat_source_ipv4_address"}, + {"selectorIDTotalFlowsObserved", "selector_id_total_flows_observed"}, + {"engineId", "engine_id"}, + {"samplerRandomInterval", "sampler_random_interval"}, + {"dot1qVlanId", "dot1q_vlan_id"}, + {"messageMD5Checksum", "message_md5_checksum"}, + {"hashIPPayloadSize", "hash_ip_payload_size"}, + {"upperCILimit", "upper_ci_limit"}, + {"virtualStationUUID", "virtual_station_uuid"}, + {"selectorIDTotalFlowsObserved", "selector_id_total_flows_observed"}, + {"postMCastLayer2OctetDeltaCount", "post_mcast_layer2_octet_delta_count"}, + {"IPSecSPI", "ip_sec_spi"}, + {"VRFname", "vrf_name"}, + } { + s, found := fieldNameConverter.conversion[testCase[0]] + if !found { + s = CamelCaseToSnakeCase(testCase[0]) + } + assert.Equal(t, testCase[1], s) + } +} diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json index cd9e0a43d3e..7480a6cac8c 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json @@ -38,8 +38,8 @@ "ip_version": 4, "octet_delta_count": 152, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "192.168.128.17", - "post_nast_ource_ipv4_address": "192.168.230.216", + "post_nat_destination_ipv4_address": "192.168.128.17", + "post_nat_source_ipv4_address": "192.168.230.216", "protocol_identifier": 17, "source_ipv4_address": "10.10.8.197", "source_transport_port": 123, @@ -102,8 +102,8 @@ "ip_version": 4, "octet_delta_count": 502, "packet_delta_count": 8, - "post_nadt_estination_ipv4_address": "10.10.6.11", - "post_nast_ource_ipv4_address": "192.168.35.143", + "post_nat_destination_ipv4_address": "10.10.6.11", + "post_nat_source_ipv4_address": "192.168.35.143", "protocol_identifier": 6, "source_ipv4_address": "192.168.35.143", "source_transport_port": 46518, @@ -166,8 +166,8 @@ "ip_version": 4, "octet_delta_count": 2233, "packet_delta_count": 8, - "post_nadt_estination_ipv4_address": "192.168.35.143", - "post_nast_ource_ipv4_address": "192.168.230.216", + "post_nat_destination_ipv4_address": "192.168.35.143", + "post_nat_source_ipv4_address": "192.168.230.216", "protocol_identifier": 6, "source_ipv4_address": "10.10.6.11", "source_transport_port": 80, @@ -230,8 +230,8 @@ "ip_version": 4, "octet_delta_count": 152, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "10.10.8.197", - "post_nast_ource_ipv4_address": "192.168.128.17", + "post_nat_destination_ipv4_address": "10.10.8.197", + "post_nat_source_ipv4_address": "192.168.128.17", "protocol_identifier": 17, "source_ipv4_address": "192.168.128.17", "source_transport_port": 123, @@ -294,8 +294,8 @@ "ip_version": 4, "octet_delta_count": 79724, "packet_delta_count": 57, - "post_nadt_estination_ipv4_address": "172.20.5.191", - "post_nast_ource_ipv4_address": "10.10.8.220", + "post_nat_destination_ipv4_address": "172.20.5.191", + "post_nat_source_ipv4_address": "10.10.8.220", "protocol_identifier": 6, "source_ipv4_address": "10.10.8.220", "source_transport_port": 80, @@ -358,8 +358,8 @@ "ip_version": 4, "octet_delta_count": 161, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "172.20.4.1", - "post_nast_ource_ipv4_address": "172.20.4.199", + "post_nat_destination_ipv4_address": "172.20.4.1", + "post_nat_source_ipv4_address": "172.20.4.199", "protocol_identifier": 17, "source_ipv4_address": "172.20.4.199", "source_transport_port": 10240, @@ -422,8 +422,8 @@ "ip_version": 4, "octet_delta_count": 245, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "172.20.4.199", - "post_nast_ource_ipv4_address": "172.20.4.1", + "post_nat_destination_ipv4_address": "172.20.4.199", + "post_nat_source_ipv4_address": "172.20.4.1", "protocol_identifier": 17, "source_ipv4_address": "172.20.4.1", "source_transport_port": 53, @@ -486,8 +486,8 @@ "ip_version": 4, "octet_delta_count": 504, "packet_delta_count": 6, - "post_nadt_estination_ipv4_address": "10.10.8.34", - "post_nast_ource_ipv4_address": "172.20.4.30", + "post_nat_destination_ipv4_address": "10.10.8.34", + "post_nat_source_ipv4_address": "172.20.4.30", "protocol_identifier": 1, "source_ipv4_address": "172.20.4.30", "source_transport_port": 0, @@ -550,8 +550,8 @@ "ip_version": 4, "octet_delta_count": 784, "packet_delta_count": 6, - "post_nadt_estination_ipv4_address": "172.20.4.30", - "post_nast_ource_ipv4_address": "10.10.8.105", + "post_nat_destination_ipv4_address": "172.20.4.30", + "post_nat_source_ipv4_address": "10.10.8.105", "protocol_identifier": 6, "source_ipv4_address": "10.10.8.105", "source_transport_port": 22, @@ -614,8 +614,8 @@ "ip_version": 4, "octet_delta_count": 433, "packet_delta_count": 8, - "post_nadt_estination_ipv4_address": "10.10.8.105", - "post_nast_ource_ipv4_address": "172.20.4.30", + "post_nat_destination_ipv4_address": "10.10.8.105", + "post_nat_source_ipv4_address": "172.20.4.30", "protocol_identifier": 6, "source_ipv4_address": "172.20.4.30", "source_transport_port": 59571, @@ -678,8 +678,8 @@ "ip_version": 4, "octet_delta_count": 196, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "192.168.183.199", - "post_nast_ource_ipv4_address": "192.168.230.216", + "post_nat_destination_ipv4_address": "192.168.183.199", + "post_nat_source_ipv4_address": "192.168.230.216", "protocol_identifier": 6, "source_ipv4_address": "10.10.7.11", "source_transport_port": 48378, @@ -742,8 +742,8 @@ "ip_version": 4, "octet_delta_count": 206, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "10.10.7.11", - "post_nast_ource_ipv4_address": "192.168.183.199", + "post_nat_destination_ipv4_address": "10.10.7.11", + "post_nat_source_ipv4_address": "192.168.183.199", "protocol_identifier": 6, "source_ipv4_address": "192.168.183.199", "source_transport_port": 6667, @@ -806,8 +806,8 @@ "ip_version": 4, "octet_delta_count": 504, "packet_delta_count": 6, - "post_nadt_estination_ipv4_address": "172.20.4.30", - "post_nast_ource_ipv4_address": "10.10.8.34", + "post_nat_destination_ipv4_address": "172.20.4.30", + "post_nat_source_ipv4_address": "10.10.8.34", "protocol_identifier": 1, "source_ipv4_address": "10.10.8.34", "source_transport_port": 0, @@ -870,8 +870,8 @@ "ip_version": 4, "octet_delta_count": 3539, "packet_delta_count": 58, - "post_nadt_estination_ipv4_address": "10.10.8.220", - "post_nast_ource_ipv4_address": "172.20.5.191", + "post_nat_destination_ipv4_address": "10.10.8.220", + "post_nat_source_ipv4_address": "172.20.5.191", "protocol_identifier": 6, "source_ipv4_address": "172.20.5.191", "source_transport_port": 42502, @@ -934,8 +934,8 @@ "ip_version": 4, "octet_delta_count": 495, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "172.20.4.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "172.20.4.1", "protocol_identifier": 17, "source_ipv4_address": "172.20.4.1", "source_transport_port": 33332, @@ -998,8 +998,8 @@ "ip_version": 4, "octet_delta_count": 330, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "172.20.4.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "172.20.4.1", "protocol_identifier": 17, "source_ipv4_address": "172.20.4.1", "source_transport_port": 33332, @@ -1062,8 +1062,8 @@ "ip_version": 4, "octet_delta_count": 435, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "172.30.0.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "172.30.0.1", "protocol_identifier": 17, "source_ipv4_address": "172.30.0.1", "source_transport_port": 53298, @@ -1126,8 +1126,8 @@ "ip_version": 4, "octet_delta_count": 290, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "172.30.0.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "172.30.0.1", "protocol_identifier": 17, "source_ipv4_address": "172.30.0.1", "source_transport_port": 53298, @@ -1190,8 +1190,8 @@ "ip_version": 4, "octet_delta_count": 495, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.6.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.6.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.6.1", "source_transport_port": 48172, @@ -1254,8 +1254,8 @@ "ip_version": 4, "octet_delta_count": 330, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.6.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.6.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.6.1", "source_transport_port": 48172, @@ -1318,8 +1318,8 @@ "ip_version": 4, "octet_delta_count": 495, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.7.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.7.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.7.1", "source_transport_port": 48935, @@ -1382,8 +1382,8 @@ "ip_version": 4, "octet_delta_count": 330, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.7.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.7.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.7.1", "source_transport_port": 48935, @@ -1446,8 +1446,8 @@ "ip_version": 4, "octet_delta_count": 495, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.8.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.8.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.8.1", "source_transport_port": 51931, @@ -1510,8 +1510,8 @@ "ip_version": 4, "octet_delta_count": 330, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.8.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.8.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.8.1", "source_transport_port": 51931, @@ -1574,8 +1574,8 @@ "ip_version": 4, "octet_delta_count": 495, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.20.0.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.20.0.1", "protocol_identifier": 17, "source_ipv4_address": "10.20.0.1", "source_transport_port": 43454, @@ -1638,8 +1638,8 @@ "ip_version": 4, "octet_delta_count": 330, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.20.0.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.20.0.1", "protocol_identifier": 17, "source_ipv4_address": "10.20.0.1", "source_transport_port": 43454, @@ -1702,8 +1702,8 @@ "ip_version": 4, "octet_delta_count": 495, "packet_delta_count": 3, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.10.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.10.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.10.1", "source_transport_port": 52837, @@ -1766,8 +1766,8 @@ "ip_version": 4, "octet_delta_count": 330, "packet_delta_count": 2, - "post_nadt_estination_ipv4_address": "255.255.255.255", - "post_nast_ource_ipv4_address": "10.10.10.1", + "post_nat_destination_ipv4_address": "255.255.255.255", + "post_nat_source_ipv4_address": "10.10.10.1", "protocol_identifier": 17, "source_ipv4_address": "10.10.10.1", "source_transport_port": 52837, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json index fcef511833e..d0625a1730b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json @@ -108,26 +108,26 @@ "flow_end_milliseconds": "2016-12-25T12:58:34.347Z", "flow_end_reason": 3, "flow_start_milliseconds": "2016-12-25T12:58:33.345Z", - "initial_tcfp_lags": 194, + "initial_tcp_flags": 194, "ip_class_of_service": 2, "octet_total_count": 172, "packet_total_count": 4, "protocol_identifier": 6, "reverse_flow_attributes": 0, "reverse_flow_delta_milliseconds": 0, - "reverse_initial_tpcf_lags": 18, + "reverse_initial_tcp_flags": 18, "reverse_ip_class_of_service": 0, "reverse_octet_total_count": 92, "reverse_packet_total_count": 2, "reverse_tcp_sequence_number": 3788795034, - "reverse_union_tpcf_lags": 17, + "reverse_union_tcp_flags": 17, "reverse_vlan_id": 0, "silk_app_label": 0, "source_ipv4_address": "172.16.32.100", "source_transport_port": 63499, "tcp_sequence_number": 340533701, "type": "netflow_flow", - "union_tcfp_lags": 17, + "union_tcp_flags": 17, "vlan_id": 0 }, "network": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json index 11728b2bd1c..da9bef387f2 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-vIPtela-with-VPN-id.golden.json @@ -52,7 +52,7 @@ "source_transport_port": 41717, "tcp_control_bits": 16, "type": "netflow_flow", - "viptela_vpin_d": 100 + "viptela_vpn_id": 100 }, "network": { "bytes": 775, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json index c7367af09ee..dfc1898f1e4 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json @@ -39,10 +39,10 @@ "ingress_interface": 3, "initiator_octets": 81, "observation_time_milliseconds": "2016-07-21T13:50:33.015Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61775, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61775, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "responder_octets": 763, "source_ipv4_address": "192.168.0.2", @@ -104,10 +104,10 @@ "ingress_interface": 3, "initiator_octets": 81, "observation_time_milliseconds": "2016-07-21T13:50:33.035Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61776, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61776, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "responder_octets": 6207, "source_ipv4_address": "192.168.0.2", @@ -169,10 +169,10 @@ "ingress_interface": 3, "initiator_octets": 81, "observation_time_milliseconds": "2016-07-21T13:50:33.035Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61776, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61776, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "responder_octets": 6207, "source_ipv4_address": "192.168.0.2", @@ -234,10 +234,10 @@ "ingress_interface": 3, "initiator_octets": 81, "observation_time_milliseconds": "2016-07-21T13:50:33.115Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56635, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56635, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 9075, "source_ipv4_address": "192.168.0.1", @@ -299,10 +299,10 @@ "ingress_interface": 3, "initiator_octets": 81, "observation_time_milliseconds": "2016-07-21T13:50:33.115Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56635, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56635, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 9075, "source_ipv4_address": "192.168.0.1", @@ -364,10 +364,10 @@ "ingress_interface": 3, "initiator_octets": 81, "observation_time_milliseconds": "2016-07-21T13:50:33.185Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61773, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61773, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "responder_octets": 5536, "source_ipv4_address": "192.168.0.2", @@ -429,10 +429,10 @@ "ingress_interface": 3, "initiator_octets": 81, "observation_time_milliseconds": "2016-07-21T13:50:33.185Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61773, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61773, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "responder_octets": 5536, "source_ipv4_address": "192.168.0.2", @@ -493,10 +493,10 @@ "icmp_type_ipv4": 0, "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:33.385Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56649, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56649, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "source_ipv4_address": "192.168.0.1", "source_transport_port": 56649, @@ -557,10 +557,10 @@ "ingress_interface": 3, "initiator_octets": 69, "observation_time_milliseconds": "2016-07-21T13:50:33.475Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56649, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56649, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 14179, "source_ipv4_address": "192.168.0.1", @@ -622,10 +622,10 @@ "ingress_interface": 3, "initiator_octets": 69, "observation_time_milliseconds": "2016-07-21T13:50:33.475Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56649, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56649, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 14179, "source_ipv4_address": "192.168.0.1", @@ -686,10 +686,10 @@ "icmp_type_ipv4": 0, "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:35.035Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61777, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61777, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "source_ipv4_address": "192.168.0.2", "source_transport_port": 61777, @@ -750,10 +750,10 @@ "ingress_interface": 3, "initiator_octets": 69, "observation_time_milliseconds": "2016-07-21T13:50:35.125Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61777, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61777, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "responder_octets": 14178, "source_ipv4_address": "192.168.0.2", @@ -815,10 +815,10 @@ "ingress_interface": 3, "initiator_octets": 69, "observation_time_milliseconds": "2016-07-21T13:50:35.125Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 61777, - "post_nast_ource_ipv4_address": "192.168.0.2", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 61777, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.2", "protocol_identifier": 6, "responder_octets": 14178, "source_ipv4_address": "192.168.0.2", @@ -879,10 +879,10 @@ "icmp_type_ipv4": 0, "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:35.785Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56650, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56650, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "source_ipv4_address": "192.168.0.1", "source_transport_port": 56650, @@ -943,10 +943,10 @@ "ingress_interface": 3, "initiator_octets": 75, "observation_time_milliseconds": "2016-07-21T13:50:35.925Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56650, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56650, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 881, "source_ipv4_address": "192.168.0.1", @@ -1008,10 +1008,10 @@ "ingress_interface": 3, "initiator_octets": 75, "observation_time_milliseconds": "2016-07-21T13:50:35.925Z", - "post_nadt_estination_ipv4_address": "192.168.0.17", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56650, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56650, + "post_nat_destination_ipv4_address": "192.168.0.17", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 881, "source_ipv4_address": "192.168.0.1", @@ -1072,10 +1072,10 @@ "icmp_type_ipv4": 0, "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:36.395Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56651, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56651, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "source_ipv4_address": "192.168.0.1", "source_transport_port": 56651, @@ -1136,10 +1136,10 @@ "ingress_interface": 3, "initiator_octets": 69, "observation_time_milliseconds": "2016-07-21T13:50:36.495Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56651, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56651, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 14178, "source_ipv4_address": "192.168.0.1", @@ -1201,10 +1201,10 @@ "ingress_interface": 3, "initiator_octets": 69, "observation_time_milliseconds": "2016-07-21T13:50:36.495Z", - "post_nadt_estination_ipv4_address": "192.168.0.18", - "post_napdt_estination_transport_port": 80, - "post_napst_ource_transport_port": 56651, - "post_nast_ource_ipv4_address": "192.168.0.1", + "post_napt_destination_transport_port": 80, + "post_napt_source_transport_port": 56651, + "post_nat_destination_ipv4_address": "192.168.0.18", + "post_nat_source_ipv4_address": "192.168.0.1", "protocol_identifier": 6, "responder_octets": 14178, "source_ipv4_address": "192.168.0.1", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json index 4b75f30ad61..744c383b78a 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json @@ -42,10 +42,10 @@ "ingress_interface": 8, "octet_delta_count": 748, "packet_delta_count": 6, - "post_nadt_estination_ipv4_address": "0.0.0.0", - "post_napdt_estination_transport_port": 0, - "post_napst_ource_transport_port": 45380, - "post_nast_ource_ipv4_address": "10.0.0.250", + "post_napt_destination_transport_port": 0, + "post_napt_source_transport_port": 45380, + "post_nat_destination_ipv4_address": "0.0.0.0", + "post_nat_source_ipv4_address": "10.0.0.250", "post_octet_delta_count": 748, "post_packet_delta_count": 6, "protocol_identifier": 6, @@ -113,10 +113,10 @@ "ingress_interface": 2, "octet_delta_count": 6948, "packet_delta_count": 10, - "post_nadt_estination_ipv4_address": "10.0.0.250", - "post_napdt_estination_transport_port": 44778, - "post_napst_ource_transport_port": 0, - "post_nast_ource_ipv4_address": "0.0.0.0", + "post_napt_destination_transport_port": 44778, + "post_napt_source_transport_port": 0, + "post_nat_destination_ipv4_address": "10.0.0.250", + "post_nat_source_ipv4_address": "0.0.0.0", "post_octet_delta_count": 6948, "post_packet_delta_count": 10, "protocol_identifier": 6, @@ -184,10 +184,10 @@ "ingress_interface": 8, "octet_delta_count": 1584, "packet_delta_count": 14, - "post_nadt_estination_ipv4_address": "0.0.0.0", - "post_napdt_estination_transport_port": 0, - "post_napst_ource_transport_port": 44778, - "post_nast_ource_ipv4_address": "10.0.0.250", + "post_napt_destination_transport_port": 0, + "post_napt_source_transport_port": 44778, + "post_nat_destination_ipv4_address": "0.0.0.0", + "post_nat_source_ipv4_address": "10.0.0.250", "post_octet_delta_count": 1584, "post_packet_delta_count": 14, "protocol_identifier": 6, @@ -255,10 +255,10 @@ "ingress_interface": 2, "octet_delta_count": 8201, "packet_delta_count": 11, - "post_nadt_estination_ipv4_address": "10.0.0.250", - "post_napdt_estination_transport_port": 50618, - "post_napst_ource_transport_port": 0, - "post_nast_ource_ipv4_address": "0.0.0.0", + "post_napt_destination_transport_port": 50618, + "post_napt_source_transport_port": 0, + "post_nat_destination_ipv4_address": "10.0.0.250", + "post_nat_source_ipv4_address": "0.0.0.0", "post_octet_delta_count": 8201, "post_packet_delta_count": 11, "protocol_identifier": 6, @@ -326,10 +326,10 @@ "ingress_interface": 8, "octet_delta_count": 1729, "packet_delta_count": 15, - "post_nadt_estination_ipv4_address": "0.0.0.0", - "post_napdt_estination_transport_port": 0, - "post_napst_ource_transport_port": 50618, - "post_nast_ource_ipv4_address": "10.0.0.250", + "post_napt_destination_transport_port": 0, + "post_napt_source_transport_port": 50618, + "post_nat_destination_ipv4_address": "0.0.0.0", + "post_nat_source_ipv4_address": "10.0.0.250", "post_octet_delta_count": 1729, "post_packet_delta_count": 15, "protocol_identifier": 6, @@ -397,10 +397,10 @@ "ingress_interface": 2, "octet_delta_count": 1122, "packet_delta_count": 5, - "post_nadt_estination_ipv4_address": "10.0.0.250", - "post_napdt_estination_transport_port": 33660, - "post_napst_ource_transport_port": 0, - "post_nast_ource_ipv4_address": "0.0.0.0", + "post_napt_destination_transport_port": 33660, + "post_napt_source_transport_port": 0, + "post_nat_destination_ipv4_address": "10.0.0.250", + "post_nat_source_ipv4_address": "0.0.0.0", "post_octet_delta_count": 1122, "post_packet_delta_count": 5, "protocol_identifier": 6, @@ -468,10 +468,10 @@ "ingress_interface": 8, "octet_delta_count": 705, "packet_delta_count": 5, - "post_nadt_estination_ipv4_address": "0.0.0.0", - "post_napdt_estination_transport_port": 0, - "post_napst_ource_transport_port": 33660, - "post_nast_ource_ipv4_address": "10.0.0.250", + "post_napt_destination_transport_port": 0, + "post_napt_source_transport_port": 33660, + "post_nat_destination_ipv4_address": "0.0.0.0", + "post_nat_source_ipv4_address": "10.0.0.250", "post_octet_delta_count": 705, "post_packet_delta_count": 5, "protocol_identifier": 6, @@ -539,10 +539,10 @@ "ingress_interface": 2, "octet_delta_count": 1123, "packet_delta_count": 5, - "post_nadt_estination_ipv4_address": "10.0.0.250", - "post_napdt_estination_transport_port": 33646, - "post_napst_ource_transport_port": 0, - "post_nast_ource_ipv4_address": "0.0.0.0", + "post_napt_destination_transport_port": 33646, + "post_napt_source_transport_port": 0, + "post_nat_destination_ipv4_address": "10.0.0.250", + "post_nat_source_ipv4_address": "0.0.0.0", "post_octet_delta_count": 1123, "post_packet_delta_count": 5, "protocol_identifier": 6, @@ -610,10 +610,10 @@ "ingress_interface": 8, "octet_delta_count": 706, "packet_delta_count": 5, - "post_nadt_estination_ipv4_address": "0.0.0.0", - "post_napdt_estination_transport_port": 0, - "post_napst_ource_transport_port": 33646, - "post_nast_ource_ipv4_address": "10.0.0.250", + "post_napt_destination_transport_port": 0, + "post_napt_source_transport_port": 33646, + "post_nat_destination_ipv4_address": "0.0.0.0", + "post_nat_source_ipv4_address": "10.0.0.250", "post_octet_delta_count": 706, "post_packet_delta_count": 5, "protocol_identifier": 6, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json index 1c069e2df66..1bae7868b29 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C-Netstream-with-varstring.golden.json @@ -57,7 +57,7 @@ "src_traffic_index": 0, "tcp_control_bits": 0, "type": "netflow_flow", - "vr_fname": "" + "vrf_name": "" }, "network": { "bytes": 702,