[extension/awslogs_encoding] Add support for VPC flow logs in plain text file format #38897
Conversation
| formatVPCFlowLog = "vpc_flow_log" | ||
|
|
||
| fileFormatPlainText = "plain-text" | ||
| fileFormatParquet = "parquet" |
There was a problem hiding this comment.
gotta document those somewhere eventually. Not in this PR, it's fine.
...ncodingextension/internal/unmarshaler/vpc-flow-log/testdata/valid_vpc_flow_log_expected.yaml
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
extension/encoding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/const.go
Outdated
Show resolved
Hide resolved
| var errGzipReader error | ||
| gzipReader, ok := v.gzipPool.Get().(*gzip.Reader) | ||
| if !ok { | ||
| gzipReader, errGzipReader = gzip.NewReader(bytes.NewReader(content)) | ||
| } else { | ||
| errGzipReader = gzipReader.Reset(bytes.NewReader(content)) | ||
| } | ||
| if errGzipReader != nil { | ||
| if gzipReader != nil { | ||
| v.gzipPool.Put(gzipReader) | ||
| } | ||
| return plog.Logs{}, fmt.Errorf("failed to decompress content: %w", errGzipReader) | ||
| } | ||
| defer func() { | ||
| _ = gzipReader.Close() | ||
| v.gzipPool.Put(gzipReader) | ||
| }() |
There was a problem hiding this comment.
Not for now, but at some point we should look at extracting this into some common code.
There was a problem hiding this comment.
I agree. Too many unmarshalers having this :)
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
| case "srcaddr": | ||
| record.Attributes().PutStr("source.layer.address", value) | ||
| case "dstaddr": | ||
| record.Attributes().PutStr("destination.layer.address", value) |
There was a problem hiding this comment.
The default format only includes srcaddr and dstaddr, and not pkt-srcaddr or pkt-dstaddr. I think in that case we should still set the standard SemConv fields where we can. Also, as mentioned in the other thread, I think if all 4 are available then we should set https://opentelemetry.io/docs/specs/semconv/attributes-registry/network/#network-peer-address depending on the traffic direction.
Unfortunately the default format doesn't include traffic direction either, otherwise I think we could use that to pick the relevant address for source.address or destination.address, and the other for network.peer.address.
The only other option I can think of is: if pkt-srcaddr and pkt-dstaddr are not present, use srcaddr and dstaddr for source.address and destination.address. May be incorrect in the presence of NAT, but we can document this and how to resolve it (i.e. by including pkt-*addr).
There was a problem hiding this comment.
The default format only includes srcaddr and dstaddr, and not pkt-srcaddr or pkt-dstaddr.
We aren't settling for the default format. Even a custom format is included in the first line. That's what we are following, so I think we should handle this case already.
There was a problem hiding this comment.
I understand we'll handle all the formats, what I meant is that a user may have configured a VPC flow log with just the default format, in which case pkt-* won't be present.
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Outdated
Show resolved
Hide resolved
...oding/awslogsencodingextension/internal/unmarshaler/vpc-flow-log/vpc_flow_log_unmarshaler.go
Show resolved
Hide resolved
| // protocolNames are needed to know the name of the protocol number given by the field | ||
| // protocol in a flow log record. | ||
| // See https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. | ||
| var protocolNames = [143]string{ |
There was a problem hiding this comment.
I don't think the indices are all correct now. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml says "nsh" is 145, but we only have 143 entries.
What I was suggesting before is to use this syntax:
var protocolNames = [...]string{
0: "hopopt",
// etc.
255: "reserved",
}There was a problem hiding this comment.
Oh, you are absolutely correct 🤔
There was a problem hiding this comment.
But then the easier way would be to have a map[int]string, don't you think? Otherwise we need empty values for numbers that do not map to any protocol name.
There was a problem hiding this comment.
I think this is a fair tradeoff when there's only 256 entries.
There was a problem hiding this comment.
Description
Add support for VPC flow logs sent to S3 in plain text format.
Link to tracking issue
Fixes #38896.
Testing
There are new unit tests added.
Documentation
Comments in the code and unit tests should be enough.
Fields are mapped this way:
versionaws.vpc.flow.log.versionaccount-idcloud.account.idinterface-idaws.eni.idsrcaddrsource.addressornetwork.peer.addresspkt-srcaddrsource.addressdstaddrdestination.addressornetwork.peer.addresspkt-dstaddrdestination.addresssrcportsource.portdstportdestination.portprotocolnetwork.protocol.namepacketsaws.vpc.flow.packetsbytesaws.vpc.flow.bytesstartaws.vpc.flow.startendactionaws.vpc.flow.actionlog-statusaws.vpc.flow.statusvpc-idaws.vpc.idsubnet-idaws.vpc.subnet.idinstance-idhost.idtcp-flagsnetwork.tcp.flagstypenetwork.typeregioncloud.regionaz-idaws.az.idsublocation-typeaws.sublocation.typesublocation-idaws.sublocation.idpkt-src-aws-serviceaws.vpc.flow.source.servicepkt-dst-aws-serviceaws.vpc.flow.destination.serviceflow-directionnetwork.io.directiontraffic-pathaws.vpc.flow.traffic_pathecs-cluster-arnaws.ecs.cluster.arnecs-cluster-nameaws.ecs.cluster.nameecs-container-instance-arnaws.ecs.container.instance.arnecs-container-instance-idaws.ecs.container.instance.idecs-container-idaws.ecs.container.idecs-second-container-idaws.ecs.second.container.arnecs-service-nameaws.ecs.service.nameecs-task-definition-arnaws.ecs.task.definition.arnecs-task-arnaws.ecs.task.arnecs-task-idaws.ecs.task.idreject-reasonaws.vpc.flow.reject_reason