Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Endace Integration #10308

Closed
wants to merge 24 commits into from
Closed

Add Endace Integration #10308

wants to merge 24 commits into from

Conversation

jamesagarside
Copy link

Adding support for Endace.

The integration contains two inputs, Netflow for use with Endace Flow https://www.endace.com/EndaceFlow and Packbeat Flow Logs for use with Endace vProbe or where systems dont have another way of generating flows externally.

The integration takes information from the flow event and uses it to construct a pivot link which loads the flow in the Endace platform and stores the link under event.reference.

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@jamesagarside jamesagarside mentioned this pull request Jul 1, 2024
15 tasks
@mjwolf mjwolf requested a review from a team July 8, 2024 19:45
.github/CODEOWNERS Outdated Show resolved Hide resolved
@jamesagarside
Copy link
Author

@taylor-swanson @pkoutsovasilis
Thank you both for reviewing this. Im happy to fix these here but its worth noting the pipelines other than endace.yml we're copied from the following Packages.
https://github.com/elastic/integrations/tree/main/packages/network_traffic/data_stream/flow/elasticsearch/ingest_pipeline
https://github.com/elastic/integrations/tree/main/packages/netflow/data_stream/log/elasticsearch/ingest_pipeline
These changes will need to be reflected here to ensure parity.

@andrewkroh andrewkroh added the New Integration Issue or pull request for creating a new integration package. label Jul 19, 2024
rcesar999 and others added 5 commits July 22, 2024 11:14
…#10489)

* Able to create P2V when just one IP is present - Fixed start&end time

* ngest_pipeline/endace-netflow.yml changed to handle single IP events

* updating expected.json after command elastic-package test pipeline --generate
@jamesagarside
Copy link
Author

ER for this PR Issue #9579

@jamesagarside
Copy link
Author

There is a bug in Kibana which means when rendering the event.reference pivot field ampersands are escaped which causes issues with the Endace appliance. Two Kibana issues have been raised to fix this behaviour.
elastic/kibana#188975
elastic/kibana#188973

@taylor-swanson taylor-swanson requested a review from a team July 25, 2024 16:21
@taylor-swanson
Copy link
Contributor

Adding @elastic/sec-linux-platform team as they will be the owners of the flow data stream.

Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few other comments, mostly nit ones.

The bigger concern I had was around the ip and network.type handling in the log data stream. Checking that a v4 address is null or 0.0.0.0 may help that situation, but not sure we if can assume that an ip of 0.0.0.0 is considered an "unset" ip in every circumstance.

# Endace

Endace is a company known for its network recording, traffic capture, and analysis technology. Endace's solutions are often used for network security, performance monitoring, and troubleshooting.
This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see a syslog input used? Only netflow and packet are used.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Netflow integration leverages the Syslog input under the hood I thought

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are completely different technologies (Netflow is a binary protocol)

Comment on lines +3432 to +3514
{
"@timestamp": "2018-04-15T03:30:00Z",
"destination": {
"ip": "0.0.0.0",
"locality": "internal",
"port": 135
},
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "netflow_flow",
"category": [
"network"
],
"kind": "event",
"type": [
"connection"
]
},
"flow": {
"id": "GYmhjYyvaAI",
"locality": "internal"
},
"netflow": {
"bgp_destination_as_number": 0,
"bgp_source_as_number": 0,
"destination_ipv4_address": "0.0.0.0",
"destination_ipv6_address": "2a02:cf40::2",
"destination_transport_port": 135,
"exporter": {
"address": "81.2.69.144:4444",
"source_id": 2875616939,
"timestamp": "2018-04-15T03:30:00Z",
"uptime_millis": 0,
"version": 10
},
"flow_end_seconds": "2018-04-15T03:29:02Z",
"flow_start_seconds": "2018-04-15T03:28:44Z",
"procera_base_service": "IP protocol 58 (IPv6-ICMP)",
"procera_content_categories": "",
"procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED",
"procera_http_content_type": "",
"procera_http_file_length": 0,
"procera_http_location": "",
"procera_http_url": "",
"procera_incoming_octets": 86,
"procera_outgoing_octets": 78,
"procera_service": "IP protocol 58 (IPv6-ICMP)",
"procera_subscriber_identifier": "",
"procera_template_name": "IPFIX",
"protocol_identifier": 58,
"source_ipv4_address": "0.0.0.0",
"source_ipv6_address": "2a02:cf40::1",
"source_transport_port": 136,
"type": "netflow_flow"
},
"network": {
"community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=",
"direction": "internal",
"iana_number": "58",
"transport": "ipv6-icmp",
"type": [
"ipv4",
"ipv6"
]
},
"observer": {
"ip": [
"81.2.69.144"
]
},
"related": {
"ip": [
"0.0.0.0"
]
},
"source": {
"ip": "0.0.0.0",
"locality": "internal",
"port": 136
}
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This event looks wrong. The protocol is ipv6-icmp, but only 0.0.0.0 is populated for source.ip, related.ip, and destination.ip.

Likewise, network.ip is both ipv4 and ipv6, but seems like it should only be ipv6 in this case.

Perhaps we have handle 0.0.0.0 in a special manner.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add IPV6 support at a later date?
We could add a check for type on the default pipeline.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need on_failure processor like in default.yml.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entire file can be removed, only applies to kibana dashboards which aren't present here.

packages/endace/manifest.yml Show resolved Hide resolved
Co-authored-by: Taylor Swanson <[email protected]>
@elasticmachine
Copy link

💚 Build Succeeded

History

@botelastic
Copy link

botelastic bot commented Aug 25, 2024

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Aug 25, 2024
@botelastic
Copy link

botelastic bot commented Sep 24, 2024

Hi! This PR has been stale for a while and we're going to close it as part of our cleanup procedure. We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team. Feel free to re-open this PR if you think it should stay open and is worth rebasing. Thank you for your contribution!

@botelastic botelastic bot closed this Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
New Integration Issue or pull request for creating a new integration package. Stalled
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants