-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Endace Integration #10308
Add Endace Integration #10308
Conversation
🚀 Benchmarks reportTo see the full report comment with |
packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
Outdated
Show resolved
Hide resolved
packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
Outdated
Show resolved
Hide resolved
@taylor-swanson @pkoutsovasilis |
…/default.yml Co-authored-by: Taylor Swanson <[email protected]>
…#10489) * Able to create P2V when just one IP is present - Fixed start&end time * ngest_pipeline/endace-netflow.yml changed to handle single IP events * updating expected.json after command elastic-package test pipeline --generate
ER for this PR Issue #9579 |
There is a bug in Kibana which means when rendering the |
Adding @elastic/sec-linux-platform team as they will be the owners of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few other comments, mostly nit ones.
The bigger concern I had was around the ip and network.type handling in the log data stream. Checking that a v4 address is null or 0.0.0.0
may help that situation, but not sure we if can assume that an ip of 0.0.0.0
is considered an "unset" ip in every circumstance.
# Endace | ||
|
||
Endace is a company known for its network recording, traffic capture, and analysis technology. Endace's solutions are often used for network security, performance monitoring, and troubleshooting. | ||
This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see a syslog input used? Only netflow and packet are used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Netflow integration leverages the Syslog input under the hood I thought
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are completely different technologies (Netflow is a binary protocol)
{ | ||
"@timestamp": "2018-04-15T03:30:00Z", | ||
"destination": { | ||
"ip": "0.0.0.0", | ||
"locality": "internal", | ||
"port": 135 | ||
}, | ||
"ecs": { | ||
"version": "8.11.0" | ||
}, | ||
"event": { | ||
"action": "netflow_flow", | ||
"category": [ | ||
"network" | ||
], | ||
"kind": "event", | ||
"type": [ | ||
"connection" | ||
] | ||
}, | ||
"flow": { | ||
"id": "GYmhjYyvaAI", | ||
"locality": "internal" | ||
}, | ||
"netflow": { | ||
"bgp_destination_as_number": 0, | ||
"bgp_source_as_number": 0, | ||
"destination_ipv4_address": "0.0.0.0", | ||
"destination_ipv6_address": "2a02:cf40::2", | ||
"destination_transport_port": 135, | ||
"exporter": { | ||
"address": "81.2.69.144:4444", | ||
"source_id": 2875616939, | ||
"timestamp": "2018-04-15T03:30:00Z", | ||
"uptime_millis": 0, | ||
"version": 10 | ||
}, | ||
"flow_end_seconds": "2018-04-15T03:29:02Z", | ||
"flow_start_seconds": "2018-04-15T03:28:44Z", | ||
"procera_base_service": "IP protocol 58 (IPv6-ICMP)", | ||
"procera_content_categories": "", | ||
"procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED", | ||
"procera_http_content_type": "", | ||
"procera_http_file_length": 0, | ||
"procera_http_location": "", | ||
"procera_http_url": "", | ||
"procera_incoming_octets": 86, | ||
"procera_outgoing_octets": 78, | ||
"procera_service": "IP protocol 58 (IPv6-ICMP)", | ||
"procera_subscriber_identifier": "", | ||
"procera_template_name": "IPFIX", | ||
"protocol_identifier": 58, | ||
"source_ipv4_address": "0.0.0.0", | ||
"source_ipv6_address": "2a02:cf40::1", | ||
"source_transport_port": 136, | ||
"type": "netflow_flow" | ||
}, | ||
"network": { | ||
"community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=", | ||
"direction": "internal", | ||
"iana_number": "58", | ||
"transport": "ipv6-icmp", | ||
"type": [ | ||
"ipv4", | ||
"ipv6" | ||
] | ||
}, | ||
"observer": { | ||
"ip": [ | ||
"81.2.69.144" | ||
] | ||
}, | ||
"related": { | ||
"ip": [ | ||
"0.0.0.0" | ||
] | ||
}, | ||
"source": { | ||
"ip": "0.0.0.0", | ||
"locality": "internal", | ||
"port": 136 | ||
} | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This event looks wrong. The protocol is ipv6-icmp
, but only 0.0.0.0
is populated for source.ip, related.ip, and destination.ip.
Likewise, network.ip is both ipv4 and ipv6, but seems like it should only be ipv6 in this case.
Perhaps we have handle 0.0.0.0
in a special manner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add IPV6 support at a later date?
We could add a check for type on the default pipeline.
packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need on_failure
processor like in default.yml.
packages/endace/validation.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This entire file can be removed, only applies to kibana dashboards which aren't present here.
Co-authored-by: Taylor Swanson <[email protected]>
Quality Gate passedIssues Measures |
💚 Build Succeeded
History
|
Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as |
Hi! This PR has been stale for a while and we're going to close it as part of our cleanup procedure. We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team. Feel free to re-open this PR if you think it should stay open and is worth rebasing. Thank you for your contribution! |
Adding support for Endace.
The integration contains two inputs, Netflow for use with Endace Flow https://www.endace.com/EndaceFlow and Packbeat Flow Logs for use with Endace vProbe or where systems dont have another way of generating flows externally.
The integration takes information from the flow event and uses it to construct a pivot link which loads the flow in the Endace platform and stores the link under
event.reference
.