Support protocol: Cassandra

CHANGELOG.asciidoc

@@ -79,6 +79,8 @@ https://github.com/elastic/beats/compare/v5.0.0-alpha5...master[Check the HEAD d
 
 *Packetbeat*
 
+ - Add cassandra protocol analyzer to packetbeat. {pull}1959[1959]
+
 *Topbeat*
 
 *Filebeat*

glide.yaml

@@ -97,3 +97,5 @@ import:
   - zlib
 - package: github.com/klauspost/cpuid
   version: v1.0
+- package: https://github.com/go-inf/inf
+  version: v0.9.0

packetbeat/docs/fields.asciidoc

@@ -14,6 +14,7 @@ grouped in the following categories:
 
 * <<exported-fields-amqp>>
 * <<exported-fields-beat>>
+* <<exported-fields-cassandra>>
 * <<exported-fields-common>>
 * <<exported-fields-dns>>
 * <<exported-fields-flows_event>>
@@ -401,6 +402,44 @@ type: dict
 Contains user configurable fields.
 
 
+[[exported-fields-cassandra]]
+== Cassandra Fields
+
+Cassandra v4/3 specific event fields.
+
+
+[float]
+=== cassandra_request
+
+type: dict
+
+Cassandra request field table.
+
+
+[float]
+=== cassandra_request.request_headers
+
+type: dict
+
+Cassandra request header field table.
+
+
+[float]
+=== cassandra_response
+
+type: dict
+
+Cassandra response field table.
+
+
+[float]
+=== cassandra_response.response_headers
+
+type: dict
+
+Cassandra response header field table.
+
+
 [[exported-fields-common]]
 == Common Fields
 

packetbeat/docs/gettingstarted.asciidoc

@@ -165,6 +165,10 @@ packetbeat.protocols.thrift:
 
 packetbeat.protocols.mongodb:
   ports: [27017]
+
+packetbeat.protocols.cassandra:
+  ports: [9042]
+
 ----------------------------------------------------------------------
 +
 . Set the IP address and port where Packetbeat can find the Elasticsearch

packetbeat/docs/reference/configuration/packetbeat-options.asciidoc

@@ -234,6 +234,9 @@ packetbeat.protocols.http:
 packetbeat.protocols.amqp:
   ports: [5672]
 
+packetbeat.protocols.cassandra:
+  ports: [9042]
+
 packetbeat.protocols.memcache:
   ports: [11211]
 
@@ -248,6 +251,8 @@ packetbeat.protocols.pgsql:
 
 packetbeat.protocols.thrift:
   ports: [9090]
+
+
 ------------------------------------------------------------------------------
 
 ==== Common Protocol Options
@@ -505,6 +510,45 @@ If set to false, the connection layer methods of the protocol are also
 displayed, such as the opening and closing of connections and channels by clients,
 or the quality of service negotiation. The default is true.
 
+
+[[configuration-cassandra]]
+==== Cassandra Configuration Options
+
+The following settings are specific to the Cassandra protocol. Here is a sample
+configuration for the `cassandra` section of the +{beatname_lc}.yml+ config file:
+
+[source,yaml]
+------------------------------------------------------------------------------
+packetbeat.protocols.cassandra:
+  send_request_header: true
+  send_response_header: true
+  compressor: "snappy"
+  ignored_ops: ["SUPPORTED","OPTIONS"]
+------------------------------------------------------------------------------
+
+===== send_request_header
+
+If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field)
+is sent to Elasticsearch. The default is true. enable `send_request` first before enable this option.
+
+===== send_response_header
+
+If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field)
+is included in published events. The default is true. enable `send_response` first before enable this option.
+
+===== ignored_ops
+
+This option indicates which Operator/Operators captured will be ignored. currently support:
+`ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` ,`OPTIONS` ,`SUPPORTED` ,
+`QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` ,`REGISTER`  ,`EVENT` ,
+`BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` ,`AUTH_SUCCESS` .
+
+===== compressor
+
+Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured.
+By default no compressor is configured.
+
+
 ==== Memcache Configuration Options
 
 The `memcache` section of the +{beatname_lc}.yml+ config file specifies configuration options for the memcache
@@ -678,6 +722,7 @@ at the end of the document.
 Note that limiting documents in this way means that they are no longer correctly
 formatted JSON objects.
 
+
 [[configuration-processes]]
 === Monitored Processes Configuration
 

packetbeat/docs/shared-protocol-list.asciidoc

@@ -8,10 +8,10 @@
  - DNS
  - HTTP
  - AMQP 0.9.1
+ - Cassandra
  - Mysql
  - PostgreSQL
  - Redis
  - Thrift-RPC
  - MongoDB
  - Memcache
-

packetbeat/etc/beat.full.yml

@@ -99,6 +99,33 @@ packetbeat.protocols.amqp:
   # incoming responses, but sent to Elasticsearch immediately.
   #transaction_timeout: 10s
 
+packetbeat.protocols.cassandra:
+  #Cassandra port for traffic monitoring.
+  ports: [9042]
+
+  # If this option is enabled, the raw message of the request (`cassandra_request` field)
+  # is included in published events. The default is true.
+  #send_request: true
+
+  # If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field)
+  # is included in published events. The default is true. enable `send_request` first before enable this option.
+  #send_request_header: true
+
+  # If this option is enabled, the raw message of the response (`cassandra_response` field)
+  # is included in published events. The default is true.
+  #send_response: true
+
+  # If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field)
+  # is included in published events. The default is true. enable `send_response` first before enable this option.
+  #send_response_header: true
+
+  # Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured.
+  # By default no compressor is configured.
+  #compressor: "snappy"
+
+  # This option indicates which Operator/Operators will be ignored.
+  #ignored_ops: ["SUPPORTED","OPTIONS"]
+
 packetbeat.protocols.dns:
   # Enable DNS monitoring. Default: true
   #enabled: true
@@ -416,3 +443,4 @@ packetbeat.protocols.nfs:
 #
 #    - process: app
 #      cmdline_grep: gunicorn
+

packetbeat/etc/beat.yml

@@ -35,6 +35,10 @@ packetbeat.protocols.amqp:
   # the AMQP protocol by commenting out the list of ports.
   ports: [5672]
 
+packetbeat.protocols.cassandra:
+  #Cassandra port for traffic monitoring.
+  ports: [9042]
+
 packetbeat.protocols.dns:
   # Configure the ports where to listen for DNS traffic. You can disable
   # the DNS protocol by commenting out the list of ports.

packetbeat/etc/fields.yml

@@ -831,6 +831,33 @@
           description: >
             Creating application id.
 
+
+- key: cassandra
+  title: "Cassandra"
+  description: Cassandra v4/3 specific event fields.
+  fields:
+    - name: cassandra_request
+      type: dict
+      dict-type: keyword
+      description: >
+        Cassandra request field table.
+    - name: cassandra_request.request_headers
+      type: dict
+      dict-type: keyword
+      description: >
+        Cassandra request header field table.
+    - name: cassandra_response
+      type: dict
+      dict-type: keyword
+      description: >
+        Cassandra response field table.
+    - name: cassandra_response.response_headers
+      type: dict
+      dict-type: keyword
+      description: >
+        Cassandra response header field table.
+
+
 - key: http
   title: "HTTP"
   description: HTTP-specific event fields.
@@ -1390,6 +1417,7 @@
           description: NFS operation reply status.
 
 
+
 - key: raw
   title: Raw
   description: These fields contain the raw transaction data.

packetbeat/etc/kibana/dashboard/Packetbeat-Cassandra.json

@@ -0,0 +1,13 @@
+{
+  "hits": 0, 
+  "timeRestore": false, 
+  "description": "", 
+  "title": "Packetbeat Cassandra", 
+  "uiStateJSON": "{\"P-10\":{\"vis\":{\"legendOpen\":false}},\"P-17\":{\"vis\":{\"legendOpen\":false}},\"P-18\":{\"vis\":{\"legendOpen\":false}}}", 
+  "panelsJSON": "[{\"col\":10,\"id\":\"Cassandra:-ResponseKeyspace\",\"panelIndex\":3,\"row\":3,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Cassandra:-ResponseType\",\"panelIndex\":4,\"row\":3,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cassandra:-ErrType\",\"panelIndex\":6,\"row\":7,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"columns\":[\"cassandra_request.query\",\"cassandra_response.err_type\",\"cassandra_response.err_msg\"],\"id\":\"Cassandra:-ErrorView\",\"panelIndex\":7,\"row\":5,\"size_x\":9,\"size_y\":4,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"columns\":[\"cassandra_request.query\",\"cassandra_response.rows.meta.keyspace\",\"cassandra_response.rows.meta.table\",\"cassandra_response.rows.num_rows\"],\"id\":\"Cassandra:-QueryView\",\"panelIndex\":8,\"row\":18,\"size_x\":12,\"size_y\":4,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Cassandra:-ResponseTime\",\"panelIndex\":9,\"row\":22,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Cassandra:-RequestCount\",\"panelIndex\":10,\"row\":1,\"size_x\":9,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Cassandra:-Ops\",\"panelIndex\":11,\"row\":3,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"columns\":[\"cassandra_response.type\",\"cassandra_response.change\",\"cassandra_response.keyspace\",\"cassandra_response.object\"],\"id\":\"Cassandra:-EventView\",\"panelIndex\":12,\"row\":24,\"size_x\":9,\"size_y\":2,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Cassandra:-RequestCountStackByType\",\"panelIndex\":15,\"row\":9,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cassandra:-ResponseCountStackByType\",\"panelIndex\":16,\"row\":11,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cassandra:-RequestCountByType\",\"panelIndex\":17,\"row\":13,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Cassandra:-ResponseCountByType\",\"panelIndex\":18,\"row\":13,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Navigation\",\"panelIndex\":19,\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cassandra:-EventType\",\"panelIndex\":20,\"row\":16,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cassandra:-Flags\",\"panelIndex\":21,\"row\":5,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"}]", 
+  "optionsJSON": "{\"darkTheme\":false}", 
+  "version": 1, 
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"
+  }
+}

packetbeat/etc/kibana/search/Cassandra.json

@@ -0,0 +1,70 @@
+[
+    {
+        "_id": "Cassandra:-QueryView",
+        "_type": "search",
+        "_source": {
+            "title": "Cassandra: QueryView",
+            "description": "",
+            "hits": 0,
+            "columns": [
+                "cassandra_request.query",
+                "cassandra_response.rows.meta.keyspace",
+                "cassandra_response.rows.meta.table",
+                "cassandra_response.rows.num_rows"
+            ],
+            "sort": [
+                "@timestamp",
+                "desc"
+            ],
+            "version": 1,
+            "kibanaSavedObjectMeta": {
+                "searchSourceJSON": "{\"index\":\"packetbeat-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"packetbeat-*\",\"key\":\"cassandra_request.request_headers.op\",\"value\":\"QUERY\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"cassandra_request.request_headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":true,\"index\":\"packetbeat-*\",\"key\":\"cassandra_response.response_headers.op\",\"value\":\"ERROR\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"cassandra_response.response_headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+            }
+        }
+    },
+    {
+        "_id": "Cassandra:-ErrorView",
+        "_type": "search",
+        "_source": {
+            "title": "Cassandra: ErrorView",
+            "description": "",
+            "hits": 0,
+            "columns": [
+                "cassandra_request.query",
+                "cassandra_response.err_type",
+                "cassandra_response.err_msg"
+            ],
+            "sort": [
+                "@timestamp",
+                "desc"
+            ],
+            "version": 1,
+            "kibanaSavedObjectMeta": {
+                "searchSourceJSON": "{\"index\":\"packetbeat-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"packetbeat-*\",\"key\":\"cassandra_request.request_headers.op\",\"negate\":false,\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra_request.request_headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"packetbeat-*\",\"key\":\"type\",\"value\":\"cassandra\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"type\":{\"query\":\"cassandra\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":false,\"index\":\"packetbeat-*\",\"key\":\"cassandra_response.response_headers.op\",\"value\":\"ERROR\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"cassandra_response.response_headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+            }
+        }
+    },
+    {
+        "_id": "Cassandra:-EventView",
+        "_type": "search",
+        "_source": {
+            "title": "Cassandra: EventView",
+            "description": "",
+            "hits": 0,
+            "columns": [
+                "cassandra_response.type",
+                "cassandra_response.change",
+                "cassandra_response.keyspace",
+                "cassandra_response.object"
+            ],
+            "sort": [
+                "@timestamp",
+                "desc"
+            ],
+            "version": 1,
+            "kibanaSavedObjectMeta": {
+                "searchSourceJSON": "{\"index\":\"packetbeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"packetbeat-*\",\"key\":\"cassandra_response.response_headers.op\",\"value\":\"EVENT\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"cassandra_response.response_headers.op\":{\"query\":\"EVENT\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+            }
+        }
+    }
+]

packetbeat/etc/kibana/search/Cassandra:-ErrorView.json

@@ -0,0 +1,18 @@
+{
+  "sort": [
+    "@timestamp", 
+    "desc"
+  ], 
+  "hits": 0, 
+  "description": "", 
+  "title": "Cassandra: ErrorView", 
+  "version": 1, 
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"packetbeat-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"packetbeat-*\",\"key\":\"cassandra_request.request_headers.op\",\"negate\":false,\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra_request.request_headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"packetbeat-*\",\"key\":\"type\",\"value\":\"cassandra\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"type\":{\"query\":\"cassandra\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":false,\"index\":\"packetbeat-*\",\"key\":\"cassandra_response.response_headers.op\",\"value\":\"ERROR\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"cassandra_response.response_headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  }, 
+  "columns": [
+    "cassandra_request.query", 
+    "cassandra_response.err_type", 
+    "cassandra_response.err_msg"
+  ]
+}

packetbeat/etc/kibana/search/Cassandra:-EventView.json

@@ -0,0 +1,19 @@
+{
+  "sort": [
+    "@timestamp", 
+    "desc"
+  ], 
+  "hits": 0, 
+  "description": "", 
+  "title": "Cassandra: EventView", 
+  "version": 1, 
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"packetbeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"packetbeat-*\",\"key\":\"cassandra_response.response_headers.op\",\"value\":\"EVENT\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"cassandra_response.response_headers.op\":{\"query\":\"EVENT\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  }, 
+  "columns": [
+    "cassandra_response.type", 
+    "cassandra_response.change", 
+    "cassandra_response.keyspace", 
+    "cassandra_response.object"
+  ]
+}