Netflow input: Improve session reset detection and allow disabling #14904
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adriansr
added
bug
review
Filebeat
Add option to allow disabling sequence number tracking, which can cause too many lost flows in some environments.
Session reset detection was too sensitive and not resilent against out-of-order UDP packets.
This structure wasn't thread safe but it was used by different threads which can cause a crash.
adriansr
force-pushed
the
netflow_seq_improvements
branch
from
5e30562 to
99e553f
Compare
|
@leehinman @andrewkroh I added another fix. Can you review again? |
andrewkroh
approved these changes
Dec 18, 2019
| detected, record templates for the given exporter will be dropped. This will | ||
| cause flow loss until the exporter provides new templates. If set to `false`, | ||
| {beatname_uc} will ignore sequence numbers, which can cause some invalid flows | ||
| if the exporter process is reset. This option is only applicable to Netflow V9 |
There was a problem hiding this comment.
So an invalid flow could occur if the template changes after the Exporter Process reset?
There was a problem hiding this comment.
Technically, yes. In practice, I understand the exporter will first send the new templates after a reset as it doesn't make any sense to start sending flows before sending templates for them.
andrewkroh
approved these changes
Dec 20, 2019
adriansr
added
v7.6.0
and removed
needs_backport
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Jan 7, 2020
…lastic#14904) - New NetFlow option detect_sequence_reset Add option to allow disabling sequence number tracking, which can cause too many lost flows in some environments. - Improve session reset detection in Netflow Session reset detection was too sensitive and not resilent against out-of-order UDP packets. - Make logDebugWrapper thread safe This structure wasn't thread safe but it was used by different threads which can cause a crash. (cherry picked from commit c47b9a2)
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Jan 7, 2020
…lastic#14904) - New NetFlow option detect_sequence_reset Add option to allow disabling sequence number tracking, which can cause too many lost flows in some environments. - Improve session reset detection in Netflow Session reset detection was too sensitive and not resilent against out-of-order UDP packets. - Make logDebugWrapper thread safe This structure wasn't thread safe but it was used by different threads which can cause a crash. (cherry picked from commit c47b9a2)
adriansr
added a commit
that referenced
this pull request
Jan 7, 2020
…14904) (#15350) - New NetFlow option detect_sequence_reset Add option to allow disabling sequence number tracking, which can cause too many lost flows in some environments. - Improve session reset detection in Netflow Session reset detection was too sensitive and not resilent against out-of-order UDP packets. - Make logDebugWrapper thread safe This structure wasn't thread safe but it was used by different threads which can cause a crash. (cherry picked from commit c47b9a2)
adriansr
added a commit
that referenced
this pull request
Jan 10, 2020
…tion and allow disabling (#15351) * Netflow input: Improve session reset detection and allow disabling (#14904) - New NetFlow option detect_sequence_reset Add option to allow disabling sequence number tracking, which can cause too many lost flows in some environments. - Improve session reset detection in Netflow Session reset detection was too sensitive and not resilent against out-of-order UDP packets. - Make logDebugWrapper thread safe This structure wasn't thread safe but it was used by different threads which can cause a crash. (cherry picked from commit c47b9a2)
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
…t detection and allow disabling (elastic#15351) * Netflow input: Improve session reset detection and allow disabling (elastic#14904) - New NetFlow option detect_sequence_reset Add option to allow disabling sequence number tracking, which can cause too many lost flows in some environments. - Improve session reset detection in Netflow Session reset detection was too sensitive and not resilent against out-of-order UDP packets. - Make logDebugWrapper thread safe This structure wasn't thread safe but it was used by different threads which can cause a crash. (cherry picked from commit 2325b77)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a few fixes to Netflow input:
Also this adds a new config option
check_sequence_resetto allow disable reset detection completely.