private static void PopulateAggregationRollupData(FlowLogAggregation aggregation)
{
long flowLogsCountAccepted = 0;
long sumOfBytesAccepted = 0;
long sumOfPacketsAccepted = 0;
long flowLogsCountRejected = 0;
long sumOfBytesRejected = 0;
long sumOfPacketsRejected = 0;
foreach (var detail in aggregation.Details)
{
if (detail.Action == "accept")
{
flowLogsCountAccepted += detail.FlowLogsCount;
sumOfBytesAccepted += detail.SumOfBytes;
sumOfPacketsAccepted += detail.SumOfPackets;
}
else
{
flowLogsCountRejected += detail.FlowLogsCount;
sumOfBytesRejected += detail.SumOfBytes;
sumOfPacketsRejected += detail.SumOfPackets;
}
}
aggregation.FlowLogsCountAccepted = flowLogsCountAccepted;
aggregation.SumOfBytesAccepted = sumOfBytesAccepted;
aggregation.SumOfPacketsAccepted = sumOfPacketsAccepted;
aggregation.FlowLogsCountRejected = flowLogsCountRejected;
aggregation.SumOfBytesRejected = sumOfBytesRejected;
aggregation.SumOfPacketsRejected = sumOfPacketsRejected;
}
private static List <FlowLogAggregation> ParseAggregation(IDictionary <string, IAggregation> aggregations)
{
List <FlowLogAggregation> parsedAggregations = new List <FlowLogAggregation>();
foreach (string srcSubnetKey in aggregations.Keys)
{
var srcSubnetAggBucket = aggregations[srcSubnetKey] as Nest.Bucket;
if (srcSubnetAggBucket != null && srcSubnetAggBucket.Items != null)
{
var srcSubnetAgg = srcSubnetAggBucket.Items.FirstOrDefault() as Nest.SingleBucket;
if (srcSubnetAgg != null && srcSubnetAgg.Aggregations != null && srcSubnetAgg.Aggregations.Any())
{
foreach (var dstSubnetKey in srcSubnetAgg.Aggregations.Keys)
{
var dstSubnetAggBucket = srcSubnetAgg.Aggregations[dstSubnetKey] as Nest.Bucket;
if (dstSubnetAggBucket != null && dstSubnetAggBucket.Items != null)
{
var dstSubnetAgg = dstSubnetAggBucket.Items.FirstOrDefault() as Nest.SingleBucket;
if (dstSubnetAgg != null)
{
var flowLogAggregation = new FlowLogAggregation
{
SourceSubnet = srcSubnetKey,
DestinationSubnet = dstSubnetKey,
IsUnknownSourceSubnet = srcSubnetKey == anonymousSubnet,
IsUnknownDestinationSubnet = dstSubnetKey == anonymousSubnet,
NumberOfFlowLogs = dstSubnetAgg.DocCount
};
if (dstSubnetAgg.Aggregations.ContainsKey(sumOfBytesAggKey))
{
var sumMetric = dstSubnetAgg.Aggregations[sumOfBytesAggKey] as Nest.ValueMetric;
if (sumMetric != null && sumMetric.Value.HasValue)
{
flowLogAggregation.SumOfBytes = Convert.ToInt64(sumMetric.Value.Value);
}
}
if (dstSubnetAgg.Aggregations.ContainsKey(sumOfPacketsAggKey))
{
var sumMetric = dstSubnetAgg.Aggregations[sumOfPacketsAggKey] as Nest.ValueMetric;
if (sumMetric != null && sumMetric.Value.HasValue)
{
flowLogAggregation.SumOfPackets = Convert.ToInt64(sumMetric.Value.Value);
}
}
parsedAggregations.Add(flowLogAggregation);
}
}
}
}
}
}
return(parsedAggregations);
}
private static void PopulateAggregationMetaData(FlowLogAggregation aggregation)
{
//"11072015203903-990008671661-us-west-2-traffic-i2s-igw-10cb6e75-subnet-ac833adb"
var regex = new Regex(@"^(\d+)-(\d+)-(.*-.*-.*)-(traffic)-(.*)-(.*-.*)-(.*-.*)$");
var match = regex.Match(aggregation.AggregationIdentifier);
if (match.Groups.Count == 8)
{
aggregation.SourceId = match.Groups[6].ToString();
aggregation.DestinationId = match.Groups[7].ToString();
aggregation.SourceType = aggregation.SourceId.Split('-')[0];
aggregation.DestinationType = aggregation.DestinationId.Split('-')[0];
}
}
private static List <FlowLogAggregation> ParseAggregation(IDictionary <string, IAggregation> aggregations)
{
List <FlowLogAggregation> parsedAggregations = new List <FlowLogAggregation>();
foreach (string srcSubnetKey in aggregations.Keys)
{
var flowLogAggregation = new FlowLogAggregation();
flowLogAggregation.AggregationIdentifier = srcSubnetKey;
var listFlowLogAggregationDetail = new List <FlowLogAggregationDetail>();
var srcSubnetAggBucket = aggregations[srcSubnetKey] as Nest.Bucket;
if (srcSubnetAggBucket != null && srcSubnetAggBucket.Items != null)
{
var srcSubnetAgg = srcSubnetAggBucket.Items.FirstOrDefault() as Nest.SingleBucket;
if (srcSubnetAgg != null && srcSubnetAgg.Aggregations != null && srcSubnetAgg.Aggregations.Any())
{
if (srcSubnetAgg.Aggregations.ContainsKey(actionAggKey))
{
var actionAgg = srcSubnetAgg.Aggregations[actionAggKey] as Nest.Bucket;
if (actionAgg != null && actionAgg.Items.Any())
{
foreach (KeyItem actionAggItem in actionAgg.Items)
{
if (actionAggItem.Aggregations != null && actionAggItem.Aggregations.Any())
{
var protocolAgg = actionAggItem.Aggregations[protocolAggKey] as Nest.Bucket;
if (protocolAgg != null && protocolAgg.Items.Any())
{
foreach (KeyItem protocolAggItem in protocolAgg.Items)
{
if (protocolAggItem.Aggregations != null && protocolAggItem.Aggregations.Any())
{
if (protocolAggItem.Aggregations.ContainsKey(dstPortAggKey))
{
var dstPortAgg = protocolAggItem.Aggregations[dstPortAggKey] as Nest.Bucket;
if (dstPortAgg != null && dstPortAgg.Items.Any())
{
foreach (KeyItem dstPortAggItem in dstPortAgg.Items)
{
var flowLogAggregationDetail = new FlowLogAggregationDetail
{
FlowLogsCount = dstPortAggItem.DocCount,
Action = actionAggItem.Key,
Protocol = protocolAggItem.Key,
DstPort = dstPortAggItem.Key
};
if (dstPortAggItem.Aggregations.ContainsKey(sumOfBytesAggKey))
{
var sumMetric = dstPortAggItem.Aggregations[sumOfBytesAggKey] as Nest.ValueMetric;
if (sumMetric != null && sumMetric.Value.HasValue)
{
flowLogAggregationDetail.SumOfBytes = Convert.ToInt64(sumMetric.Value.Value);
}
}
if (dstPortAggItem.Aggregations.ContainsKey(sumOfPacketsAggKey))
{
var sumMetric = dstPortAggItem.Aggregations[sumOfPacketsAggKey] as Nest.ValueMetric;
if (sumMetric != null && sumMetric.Value.HasValue)
{
flowLogAggregationDetail.SumOfPackets = Convert.ToInt64(sumMetric.Value.Value);
}
}
listFlowLogAggregationDetail.Add(flowLogAggregationDetail);
}
}
}
}
}
}
}
}
}
}
}
}
flowLogAggregation.Details = listFlowLogAggregationDetail.ToArray();
parsedAggregations.Add(flowLogAggregation);
}
return(parsedAggregations);
}
