diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index cfa61f9cfd28..05b9e7958544 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -319,6 +319,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for MySQL 8.0 slow logs and tests also for Percona 8.0 and MariaDB 10.3. {pull}11417[11417] - New Filebeat coredns module to ingest coredns logs. It supports both native coredns deployment and coredns deployment in kubernetes. {pull}11200[11200] - New module for Cisco ASA logs. {issue}9200[9200] {pull}11171[11171] +- Added support for Cisco ASA fields to the netflow input. {pull}11201[11201] *Heartbeat* diff --git a/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv b/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv index 8939dc97fc51..653a275d06f8 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv +++ b/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv @@ -267,3 +267,12 @@ netscalerUnknown432,5951,432,unsigned8 netscalerUnknown433,5951,433,unsigned8 netscalerUnknown453,5951,453,unsigned64 netscalerUnknown465,5951,465,unsigned32 +ingressAclID,0,33000,aclid +egressAclID,0,33001,aclid +fwExtEvent,0,33002,unsigned16 +username,0,40000,string +XlateSourceAddressIPV4,0,40001,ipv4Address +XlateDestinationAddressIPV4,0,40002,ipv4Address +XlateSourcePort,0,40003,unsigned16 +XlateDestinationPort,0,40004,unsigned16 +FirewallEvent,0,40005,unsigned8 diff --git a/x-pack/filebeat/input/netflow/decoder/fields/gen.go b/x-pack/filebeat/input/netflow/decoder/fields/gen.go index 27e28148f941..743c1a062cbe 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/gen.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/gen.go @@ -61,6 +61,7 @@ var TypeNames = []string{ "BasicList", "SubTemplateList", "SubTemplateMultiList", + "ACLID", } func write(w io.Writer, msg string) { @@ -176,7 +177,7 @@ func main() { write(outHandle, fmt.Sprintf(`} func init() { - if err := RegisterFields(%s); err != nil { + if err := RegisterGlobalFields(%s); err != nil { panic(err) } } diff --git a/x-pack/filebeat/input/netflow/decoder/fields/types.go b/x-pack/filebeat/input/netflow/decoder/fields/types.go index 383bc5d23f0e..2832a9acc584 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/types.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/types.go @@ -6,6 +6,7 @@ package fields import ( "encoding/binary" + "encoding/hex" "errors" "fmt" "io" @@ -322,6 +323,34 @@ func (u UnsupportedDecoder) Decode(data []byte) (interface{}, error) { var _ Decoder = (*UnsupportedDecoder)(nil) +type ACLIDDecoder struct{} + +const aclIDLength = 12 + +func (u ACLIDDecoder) MinLength() uint16 { + return aclIDLength +} + +func (u ACLIDDecoder) MaxLength() uint16 { + return aclIDLength +} + +func (u ACLIDDecoder) Decode(data []byte) (interface{}, error) { + if len(data) != aclIDLength { + return nil, ErrOutOfBounds + } + // Encode a [12]byte to a hex string in the form: + // "11223344-55667788-99aabbcc" + var result [aclIDLength*2 + 2]byte + hex.Encode(result[:8], data[:4]) + hex.Encode(result[9:17], data[4:8]) + hex.Encode(result[18:], data[8:]) + result[8], result[17] = '-', '-' + return string(result[:]), nil +} + +var _ Decoder = (*OctetArrayDecoder)(nil) + // RFC5610 fields var ( OctetArray = OctetArrayDecoder{} @@ -348,3 +377,6 @@ var ( SubTemplateList = UnsupportedDecoder{} SubTemplateMultiList = UnsupportedDecoder{} ) + +// ACLID field added for Cisco ASA devices +var ACLID = ACLIDDecoder{} diff --git a/x-pack/filebeat/input/netflow/decoder/fields/types_test.go b/x-pack/filebeat/input/netflow/decoder/fields/types_test.go index 765e69dd3985..ffe56c831dd4 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/types_test.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/types_test.go @@ -1092,3 +1092,38 @@ func TestUnsupported(t *testing.T) { }, }) } + +func TestACLID(t *testing.T) { + doTest(t, ACLID, 12, 12, []testCase{ + { + title: "Empty", + bytes: []byte{}, + err: true, + }, + { + title: "Sample", + bytes: []byte{ + 0x10, 0x21, 0x32, 0x43, + 0x54, 0x65, 0x76, 0x87, + 0x98, 0xA9, 0xBA, 0xCD}, + value: "10213243-54657687-98a9bacd", + }, + { + title: "Short", + bytes: []byte{ + 0x10, 0x21, 0x32, 0x43, + 0x54, 0x65, 0x76, 0x87, + 0x98, 0xA9, 0xBA}, + err: true, + }, + { + title: "Long", + bytes: []byte{ + 0x10, 0x21, 0x32, 0x43, + 0x54, 0x65, 0x76, 0x87, + 0x98, 0xA9, 0xBA, 0xCD, + 0xDF}, + err: true, + }, + }) +} diff --git a/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go b/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go index 05dce2458485..ae37275d5281 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go @@ -277,6 +277,15 @@ var CiscoFields = FieldDict{ Key{EnterpriseID: 5951, FieldID: 433}: {Name: "netscalerUnknown433", Decoder: Unsigned8}, Key{EnterpriseID: 5951, FieldID: 453}: {Name: "netscalerUnknown453", Decoder: Unsigned64}, Key{EnterpriseID: 5951, FieldID: 465}: {Name: "netscalerUnknown465", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 33000}: {Name: "ingressAclID", Decoder: ACLID}, + Key{EnterpriseID: 0, FieldID: 33001}: {Name: "egressAclID", Decoder: ACLID}, + Key{EnterpriseID: 0, FieldID: 33002}: {Name: "fwExtEvent", Decoder: Unsigned16}, + Key{EnterpriseID: 0, FieldID: 40000}: {Name: "username", Decoder: String}, + Key{EnterpriseID: 0, FieldID: 40001}: {Name: "XlateSourceAddressIPV4", Decoder: Ipv4Address}, + Key{EnterpriseID: 0, FieldID: 40002}: {Name: "XlateDestinationAddressIPV4", Decoder: Ipv4Address}, + Key{EnterpriseID: 0, FieldID: 40003}: {Name: "XlateSourcePort", Decoder: Unsigned16}, + Key{EnterpriseID: 0, FieldID: 40004}: {Name: "XlateDestinationPort", Decoder: Unsigned16}, + Key{EnterpriseID: 0, FieldID: 40005}: {Name: "FirewallEvent", Decoder: Unsigned8}, } func init() { diff --git a/x-pack/filebeat/input/netflow/definitions.go b/x-pack/filebeat/input/netflow/definitions.go index 3d1832d4dec5..4227334d96a8 100644 --- a/x-pack/filebeat/input/netflow/definitions.go +++ b/x-pack/filebeat/input/netflow/definitions.go @@ -41,7 +41,7 @@ var logstashName2Decoder = map[string]fields.Decoder{ "uint64": fields.Unsigned64, "octet_array": fields.OctetArray, "octetarray": fields.OctetArray, - "acl_id_asa": fields.UnsupportedDecoder{}, + "acl_id_asa": fields.ACLID, "mpls_label_stack_octets": fields.UnsupportedDecoder{}, "application_id": fields.UnsupportedDecoder{}, "forwarding_status": fields.UnsupportedDecoder{}, diff --git a/x-pack/filebeat/input/netflow/testdata/dat_tests.yaml b/x-pack/filebeat/input/netflow/testdata/dat_tests.yaml index cd4b40482613..f8d69ffc70cd 100644 --- a/x-pack/filebeat/input/netflow/testdata/dat_tests.yaml +++ b/x-pack/filebeat/input/netflow/testdata/dat_tests.yaml @@ -92,6 +92,7 @@ tests: - netflow9_test_cisco_asa_2_tpl_27x.dat - netflow9_test_cisco_asa_2_data.dat custom_fields: + # This renames some fields to test the loading fields from file feature. - netflow9_cisco_asa_custom.yaml Netflow 9 ipt_netflow reduced size encoding: files: diff --git a/x-pack/filebeat/input/netflow/testdata/fields/netflow9_cisco_asa_custom.yaml b/x-pack/filebeat/input/netflow/testdata/fields/netflow9_cisco_asa_custom.yaml index bcf40b96760d..57c6aba2383c 100644 --- a/x-pack/filebeat/input/netflow/testdata/fields/netflow9_cisco_asa_custom.yaml +++ b/x-pack/filebeat/input/netflow/testdata/fields/netflow9_cisco_asa_custom.yaml @@ -1,3 +1,4 @@ +# This renames some fields to test the loading fields from file feature. 33000: - :acl_id_asa - :ingress_acl_id @@ -9,19 +10,19 @@ - :fw_ext_event 40000: - :string -- :username +- :asa_username 40001: - :ip4_addr -- :xlate_src_addr_ipv4 +- :asa_xlate_src_addr_ipv4 40002: - :ip4_addr -- :xlate_dst_addr_ipv4 +- :asa_xlate_dst_addr_ipv4 40003: - :uint16 -- :xlate_src_port +- :asa_xlate_src_port 40004: - :uint16 -- :xlate_dst_port +- :asa_xlate_dst_port 40005: - :uint8 -- :fw_event +- :asa_fw_event diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json index 409a4e910b15..3cd8a553a610 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json @@ -483,8 +483,10 @@ "locality": "private" }, "netflow": { + "asa_username": "", "destination_ipv4_address": "192.168.0.18", "destination_transport_port": 80, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 4, "exporter": { "address": "192.0.2.1:4444", @@ -499,6 +501,7 @@ "fw_ext_event": 0, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "3edcde49-0aa62ac3-a8a2a76b", "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:33.385Z", "post_napt_destination_transport_port": 80, @@ -508,8 +511,7 @@ "protocol_identifier": 6, "source_ipv4_address": "192.168.0.1", "source_transport_port": 56649, - "type": "netflow_flow", - "username": "" + "type": "netflow_flow" }, "network": { "community_id": "1:IZ8RrSqt8oeb2F2Rp9296zm54bc=", @@ -680,8 +682,10 @@ "locality": "private" }, "netflow": { + "asa_username": "", "destination_ipv4_address": "192.168.0.17", "destination_transport_port": 80, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 4, "exporter": { "address": "192.0.2.1:4444", @@ -696,6 +700,7 @@ "fw_ext_event": 0, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "3edcde49-0aa62ac3-56e8512e", "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:35.035Z", "post_napt_destination_transport_port": 80, @@ -705,8 +710,7 @@ "protocol_identifier": 6, "source_ipv4_address": "192.168.0.2", "source_transport_port": 61777, - "type": "netflow_flow", - "username": "" + "type": "netflow_flow" }, "network": { "community_id": "1:E1vNamQGw5X+X+vT1g7ui6Nc3O0=", @@ -877,8 +881,10 @@ "locality": "private" }, "netflow": { + "asa_username": "", "destination_ipv4_address": "192.168.0.17", "destination_transport_port": 80, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 4, "exporter": { "address": "192.0.2.1:4444", @@ -893,6 +899,7 @@ "fw_ext_event": 0, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "3edcde49-0aa62ac3-56e8512e", "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:35.785Z", "post_napt_destination_transport_port": 80, @@ -902,8 +909,7 @@ "protocol_identifier": 6, "source_ipv4_address": "192.168.0.1", "source_transport_port": 56650, - "type": "netflow_flow", - "username": "" + "type": "netflow_flow" }, "network": { "community_id": "1:pkwcoe/zjCLerUgj+HGAwwt4wV8=", @@ -1074,8 +1080,10 @@ "locality": "private" }, "netflow": { + "asa_username": "", "destination_ipv4_address": "192.168.0.18", "destination_transport_port": 80, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 4, "exporter": { "address": "192.0.2.1:4444", @@ -1090,6 +1098,7 @@ "fw_ext_event": 0, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "3edcde49-0aa62ac3-a8a2a76b", "ingress_interface": 3, "observation_time_milliseconds": "2016-07-21T13:50:36.395Z", "post_napt_destination_transport_port": 80, @@ -1099,8 +1108,7 @@ "protocol_identifier": 6, "source_ipv4_address": "192.168.0.1", "source_transport_port": 56651, - "type": "netflow_flow", - "username": "" + "type": "netflow_flow" }, "network": { "community_id": "1:35/w0D/WO1QvBp8O+Vd95Nb+tt4=", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json index cf2913314459..63dcdbf0cf2c 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json @@ -21,8 +21,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "2.2.2.11", + "asa_xlate_dst_port": 17549, + "asa_xlate_src_addr_ipv4": "192.168.14.1", + "asa_xlate_src_port": 0, "destination_ipv4_address": "2.2.2.11", "destination_transport_port": 17549, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -33,22 +40,17 @@ }, "flow_id": 8500, "flow_start_milliseconds": "2015-10-09T09:47:47.569Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:49.599Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "192.168.14.1", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "2.2.2.11", - "xlate_dst_port": 17549, - "xlate_src_addr_ipv4": "192.168.14.1", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -88,8 +90,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "164.164.37.11", + "asa_xlate_dst_port": 0, + "asa_xlate_src_addr_ipv4": "192.168.23.22", + "asa_xlate_src_port": 17549, "destination_ipv4_address": "164.164.37.11", "destination_transport_port": 0, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 3, "exporter": { "address": "192.0.2.1:4444", @@ -100,22 +109,17 @@ }, "flow_id": 8501, "flow_start_milliseconds": "2015-10-09T09:47:48.169Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 8, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 2, "observation_time_milliseconds": "2015-10-09T09:47:50.179Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "192.168.23.22", "source_transport_port": 17549, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "164.164.37.11", - "xlate_dst_port": 0, - "xlate_src_addr_ipv4": "192.168.23.22", - "xlate_src_port": 17549 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -155,8 +159,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "192.168.23.22", + "asa_xlate_dst_port": 17549, + "asa_xlate_src_addr_ipv4": "164.164.37.11", + "asa_xlate_src_port": 0, "destination_ipv4_address": "192.168.23.22", "destination_transport_port": 17549, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -167,22 +178,17 @@ }, "flow_id": 8502, "flow_start_milliseconds": "2015-10-09T09:47:48.179Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:50.219Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "164.164.37.11", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "192.168.23.22", - "xlate_dst_port": 17549, - "xlate_src_addr_ipv4": "164.164.37.11", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -222,8 +228,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "164.164.37.11", + "asa_xlate_dst_port": 0, + "asa_xlate_src_addr_ipv4": "192.168.23.20", + "asa_xlate_src_port": 17805, "destination_ipv4_address": "164.164.37.11", "destination_transport_port": 0, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 3, "exporter": { "address": "192.0.2.1:4444", @@ -234,22 +247,17 @@ }, "flow_id": 8503, "flow_start_milliseconds": "2015-10-09T09:47:48.399Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 8, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 2, "observation_time_milliseconds": "2015-10-09T09:47:50.419Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "192.168.23.20", "source_transport_port": 17805, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "164.164.37.11", - "xlate_dst_port": 0, - "xlate_src_addr_ipv4": "192.168.23.20", - "xlate_src_port": 17805 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -289,8 +297,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "192.168.23.20", + "asa_xlate_dst_port": 17805, + "asa_xlate_src_addr_ipv4": "164.164.37.11", + "asa_xlate_src_port": 0, "destination_ipv4_address": "192.168.23.20", "destination_transport_port": 17805, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -301,22 +316,17 @@ }, "flow_id": 8504, "flow_start_milliseconds": "2015-10-09T09:47:48.409Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:50.429Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "164.164.37.11", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "192.168.23.20", - "xlate_dst_port": 17805, - "xlate_src_addr_ipv4": "164.164.37.11", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -356,8 +366,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "2.2.2.11", + "asa_xlate_dst_port": 0, + "asa_xlate_src_addr_ipv4": "192.168.14.11", + "asa_xlate_src_port": 17805, "destination_ipv4_address": "2.2.2.11", "destination_transport_port": 0, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -368,22 +385,17 @@ }, "flow_id": 8505, "flow_start_milliseconds": "2015-10-09T09:47:48.589Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 8, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:50.619Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "192.168.14.11", "source_transport_port": 17805, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "2.2.2.11", - "xlate_dst_port": 0, - "xlate_src_addr_ipv4": "192.168.14.11", - "xlate_src_port": 17805 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -423,8 +435,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "192.168.14.11", + "asa_xlate_dst_port": 17805, + "asa_xlate_src_addr_ipv4": "2.2.2.11", + "asa_xlate_src_port": 0, "destination_ipv4_address": "192.168.14.11", "destination_transport_port": 17805, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 3, "exporter": { "address": "192.0.2.1:4444", @@ -435,22 +454,17 @@ }, "flow_id": 8506, "flow_start_milliseconds": "2015-10-09T09:47:48.599Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 2, "observation_time_milliseconds": "2015-10-09T09:47:50.639Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "2.2.2.11", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "192.168.14.11", - "xlate_dst_port": 17805, - "xlate_src_addr_ipv4": "2.2.2.11", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -490,8 +504,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "192.168.14.1", + "asa_xlate_dst_port": 0, + "asa_xlate_src_addr_ipv4": "2.2.2.11", + "asa_xlate_src_port": 17805, "destination_ipv4_address": "192.168.14.1", "destination_transport_port": 0, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 3, "exporter": { "address": "192.0.2.1:4444", @@ -502,22 +523,17 @@ }, "flow_id": 8507, "flow_start_milliseconds": "2015-10-09T09:47:48.609Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 8, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 2, "observation_time_milliseconds": "2015-10-09T09:47:50.639Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "2.2.2.11", "source_transport_port": 17805, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "192.168.14.1", - "xlate_dst_port": 0, - "xlate_src_addr_ipv4": "2.2.2.11", - "xlate_src_port": 17805 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -557,8 +573,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "2.2.2.11", + "asa_xlate_dst_port": 17805, + "asa_xlate_src_addr_ipv4": "192.168.14.1", + "asa_xlate_src_port": 0, "destination_ipv4_address": "2.2.2.11", "destination_transport_port": 17805, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -569,22 +592,17 @@ }, "flow_id": 8508, "flow_start_milliseconds": "2015-10-09T09:47:48.619Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:50.639Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "192.168.14.1", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "2.2.2.11", - "xlate_dst_port": 17805, - "xlate_src_addr_ipv4": "192.168.14.1", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -624,8 +642,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "192.168.23.1", + "asa_xlate_dst_port": 0, + "asa_xlate_src_addr_ipv4": "164.164.37.11", + "asa_xlate_src_port": 0, "destination_ipv4_address": "192.168.23.1", "destination_transport_port": 0, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -636,22 +661,17 @@ }, "flow_id": 8525, "flow_start_milliseconds": "2015-10-09T09:47:51.269Z", - "fw_event": 2, "fw_ext_event": 2016, "icmp_code_ipv4": 3, "icmp_type_ipv4": 3, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:51.269Z", "octet_total_count": 160, "protocol_identifier": 1, "source_ipv4_address": "164.164.37.11", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "192.168.23.1", - "xlate_dst_port": 0, - "xlate_src_addr_ipv4": "164.164.37.11", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 160, @@ -691,8 +711,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "164.164.37.11", + "asa_xlate_dst_port": 0, + "asa_xlate_src_addr_ipv4": "192.168.23.22", + "asa_xlate_src_port": 18061, "destination_ipv4_address": "164.164.37.11", "destination_transport_port": 0, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 3, "exporter": { "address": "192.0.2.1:4444", @@ -703,22 +730,17 @@ }, "flow_id": 8509, "flow_start_milliseconds": "2015-10-09T09:47:49.249Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 8, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 2, "observation_time_milliseconds": "2015-10-09T09:47:51.269Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "192.168.23.22", "source_transport_port": 18061, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "164.164.37.11", - "xlate_dst_port": 0, - "xlate_src_addr_ipv4": "192.168.23.22", - "xlate_src_port": 18061 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -758,8 +780,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "192.168.23.22", + "asa_xlate_dst_port": 18061, + "asa_xlate_src_addr_ipv4": "164.164.37.11", + "asa_xlate_src_port": 0, "destination_ipv4_address": "192.168.23.22", "destination_transport_port": 18061, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -770,22 +799,17 @@ }, "flow_id": 8510, "flow_start_milliseconds": "2015-10-09T09:47:49.259Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:51.289Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "164.164.37.11", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "192.168.23.22", - "xlate_dst_port": 18061, - "xlate_src_addr_ipv4": "164.164.37.11", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -825,8 +849,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "164.164.37.11", + "asa_xlate_dst_port": 0, + "asa_xlate_src_addr_ipv4": "192.168.23.20", + "asa_xlate_src_port": 18061, "destination_ipv4_address": "164.164.37.11", "destination_transport_port": 0, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 3, "exporter": { "address": "192.0.2.1:4444", @@ -837,22 +868,17 @@ }, "flow_id": 8511, "flow_start_milliseconds": "2015-10-09T09:47:49.469Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 8, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 2, "observation_time_milliseconds": "2015-10-09T09:47:51.489Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "192.168.23.20", "source_transport_port": 18061, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "164.164.37.11", - "xlate_dst_port": 0, - "xlate_src_addr_ipv4": "192.168.23.20", - "xlate_src_port": 18061 + "type": "netflow_flow" }, "network": { "bytes": 56, @@ -892,8 +918,15 @@ "locality": "public" }, "netflow": { + "asa_fw_event": 2, + "asa_username": "", + "asa_xlate_dst_addr_ipv4": "192.168.23.20", + "asa_xlate_dst_port": 18061, + "asa_xlate_src_addr_ipv4": "164.164.37.11", + "asa_xlate_src_port": 0, "destination_ipv4_address": "192.168.23.20", "destination_transport_port": 18061, + "egress_acl_id": "00000000-00000000-00000000", "egress_interface": 2, "exporter": { "address": "192.0.2.1:4444", @@ -904,22 +937,17 @@ }, "flow_id": 8512, "flow_start_milliseconds": "2015-10-09T09:47:49.479Z", - "fw_event": 2, "fw_ext_event": 2025, "icmp_code_ipv4": 0, "icmp_type_ipv4": 0, + "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000", "ingress_interface": 3, "observation_time_milliseconds": "2015-10-09T09:47:51.509Z", "octet_total_count": 56, "protocol_identifier": 1, "source_ipv4_address": "164.164.37.11", "source_transport_port": 0, - "type": "netflow_flow", - "username": "", - "xlate_dst_addr_ipv4": "192.168.23.20", - "xlate_dst_port": 18061, - "xlate_src_addr_ipv4": "164.164.37.11", - "xlate_src_port": 0 + "type": "netflow_flow" }, "network": { "bytes": 56,