codeout
commented
8 years ago How about doing this by using record_transformer filter plugin?
For instance, while
# fluentd.conf
<source>
@type netflow
bind 127.0.0.1
tag example.netflow
</source>
<match example.netflow>
@type stdout
</match>$ NetFlow-Generator/flowgen -n1 -p5140 localhostreports "last_switched":"2016-08-05T07:09:12.715Z",
# fluentd.conf
<source>
@type netflow
bind 127.0.0.1
tag example.netflow
</source>
<filter example.netflow>
@type record_transformer
<record>
last_switched ${Time.parse(last_switched) - 4294967}
</record>
</filter>
<match example.netflow>
@type stdout
</match>reports "last_switched":"2016-06-16 14:06:16 UTC".
(See https://github.com/mshindo/NetFlow-Generator for flowgen)
I agree that every netflow collector behaves like you pointed out due to the 32 bit length of timestamp field, but IMHO, it sounds reasonable that netflow collector respects and even mistakes timestamp of flow data because current and 49 days-old flow data are completely same.
If we are replaying recorded flow data and have to tweak the timestamp, I would think that we should update timestamp, by record_transformer or something like that, after flow collector collects the data.
repeatedly
t-umeno
add: option switched_times_minus_49_7d
When a PCAP file to convert to NetFlow is older than system bootup time,
first_switchedandlast_switchedare added multiple of 2^32/1000 seconds (about 49.7days). This option decrease multiple of 2^32/1000 seconds fromfirst_switchedandlast_switched. (Default: 0)Please read http://www.slideshare.net/TakashiUmeno/softflowd497d20160723