Merge pull request #52 from eranra/conn_tracing

add support for connection tracking

Author: eranra

Makefile

@@ -81,7 +81,7 @@ clean: ## Clean
 # note: to review coverage execute: go tool cover -html=/tmp/coverage.out
 .PHONY: test
 test: validate_go ## Test
-	go test -race -covermode=atomic -coverprofile=/tmp/coverage.out ./...
+	go test -p 1 -race -covermode=atomic -coverprofile=/tmp/coverage.out ./...
 
 # note: to review profile execute: go tool pprof -web /tmp/flowlogs2metrics-cpu-profile.out (make sure graphviz is installed)
 .PHONY: benchmarks

README.md

@@ -275,6 +275,10 @@ pipeline:
           output: match-10.0
           type: add_regex_if
           parameters: 10.0.*
+        - input: "{{.srcIP}},{{.srcPort}},{{.dstIP}},{{.dstPort}},{{.protocol}}"
+          output: isNewFlow
+          type: conn_tracking
+          parameters: "1"
 ```
 
 The first rule `add_subnet` generates a new field named `srcSubnet` with the 
@@ -306,11 +310,15 @@ All the kubernetes fields will be named by appending `output` value
 > 2. using `KUBECONFIG` environment variable
 > 3. using local `~/.kube/config`
 
-The sixth `add_regex_if` generates a new field named `match-10.0` that contains
-the contents of the `srcSubnet` field for entries that match regex expression specified
+The sixth rule `add_regex_if` generates a new field named `match-10.0` that contains
+the contents of the `srcSubnet` field for entries that match regex expression specified 
 in the `parameters` variable. In addition, the field `match-10.0_Matched` with 
 value `true` is added to all matched entries
 
+The seventh rule `conn_tracking` generates a new field named `isNewFlow` that contains
+the contents of the `parameters` variable **only for new entries** (first seen in 120 seconds) 
+that match hash of template fields from the `input` variable. 
+
 
 > Note: above example describes all available transform network `Type` options
 > Note: above transform is essential for the `aggregation` phase  

contrib/kubernetes/flowlogs2metrics.conf.yaml

@@ -135,7 +135,7 @@ pipeline:
     - name: dest_connection_subnet_count
       by:
       - dstSubnet
-      operation: count
+      operation: sum
       recordkey: ""
     - name: src_connection_count
       by:
@@ -203,16 +203,18 @@ pipeline:
   transform:
   - generic:
       rules:
-      - input: DstAddr
-        output: dstIP
       - input: SrcAddr
         output: srcIP
-      - input: Bytes
-        output: bytes
+      - input: SrcPort
+        output: srcPort
+      - input: DstAddr
+        output: dstIP
       - input: DstPort
         output: dstPort
       - input: Proto
         output: proto
+      - input: Bytes
+        output: bytes
       - input: TCPFlags
         output: TCPFlags
       - input: SrcAS
@@ -238,6 +240,10 @@ pipeline:
         output: srcSubnet
         type: add_subnet
         parameters: /16
+      - input: '{{.srcIP}},{{.srcPort}},{{.dstIP}},{{.dstPort}},{{.proto}}'
+        output: isNewFlow
+        type: conn_tracking
+        parameters: "1"
       - input: dstIP
         output: dstSubnet
         type: add_subnet

docs/api.md

@@ -50,6 +50,7 @@ Following is the supported API format for network transformations:
                  input: entry input field
                  output: entry output field
                  type: (enum) one of the following:
+                     conn_tracking: set output field to value of parameters field only for new flows by matching template in input field
                      add_regex_if: add output field if input field satisfies regex pattern from parameters field
                      add_if: add output field if input field satisfies criteria from parameters field
                      add_subnet: add output subnet field from input field and prefix length from parameters field

docs/metrics.md

@@ -51,10 +51,10 @@ and the transformation to generate the exported metric.
 ### connection rate per dest subnet
 | **Description** | This metric observes network connections rate per destination subnet | 
 |:---|:---|
-| **Details** | Counts the number of connections per subnet with network prefix length /16 | 
+| **Details** | Counts the number of connections per subnet with network prefix length /16 (using conn_tracking sum isNewFlow field) | 
 | **Usage** | Evaluate network connections per subnet | 
 | **Labels** | rate, subnet |
-| **Operation** | aggregate by `dstSubnet` and `count`  |
+| **Operation** | aggregate by `dstSubnet` and `sum`  |
 | **Exposed as** | `fl2m_connections_per_destination_subnet` of type `gauge` |
 | **Visualized as** | "Connections rate per destinationIP /16 subnets" on dashboard `details` |
 |||  

network_definitions/bandwidth_per_network_service.yaml

@@ -22,7 +22,7 @@ extract:
       by:
         - service
       operation: sum
-      RecordKey: bytes
+      recordKey: bytes
 encode:
   type: prom
   prom:

network_definitions/bandwidth_per_src_dest_subnet.yaml

@@ -27,7 +27,7 @@ extract:
         - dstSubnet24
         - srcSubnet24
       operation: sum
-      RecordKey: bytes
+      recordKey: bytes
 encode:
   type: prom
   prom:

network_definitions/bandwidth_per_src_subnet.yaml

@@ -22,7 +22,7 @@ extract:
       by:
         - srcSubnet
       operation: sum
-      RecordKey: bytes
+      recordKey: bytes
 encode:
   type: prom
   prom:

network_definitions/config.yaml

@@ -10,16 +10,18 @@ ingest:
 transform:
   generic:
     rules:
-      - input: DstAddr
-        output: dstIP
       - input: SrcAddr
         output: srcIP
-      - input: Bytes
-        output: bytes
+      - input: SrcPort
+        output: srcPort
+      - input: DstAddr
+        output: dstIP
       - input: DstPort
         output: dstPort
       - input: Proto
         output: proto
+      - input: Bytes
+        output: bytes
       - input: TCPFlags
         output: TCPFlags
       - input: SrcAS

network_definitions/connection_rate_per_dest_subnet.yaml

@@ -2,14 +2,18 @@
 description:
   This metric observes network connections rate per destination subnet
 details:
-  Counts the number of connections per subnet with network prefix length /16
+  Counts the number of connections per subnet with network prefix length /16 (using conn_tracking sum isNewFlow field)
 usage:
   Evaluate network connections per subnet
 labels:
   - rate
   - subnet
 transform:
   rules:
+    - input: "{{.srcIP}},{{.srcPort}},{{.dstIP}},{{.dstPort}},{{.proto}}"
+      output: isNewFlow
+      type: conn_tracking
+      parameters: "1"
     - input: dstIP
       output: dstSubnet
       type: add_subnet
@@ -20,7 +24,8 @@ extract:
     - name: dest_connection_subnet_count
       by:
         - dstSubnet
-      operation: count
+      operation: sum
+      recordKey: isNewFlow
 encode:
   type: prom
   prom: