jorritfolmer
commented
6 years ago You have multiple asa's sending different templates for template_id 263. Since the codec doesn't have access to the source ip's from these asa's (because it's a codec not an input), it cant differentiate between template 263 from asa1 and template 263 from asa2.
This means that the most recent template 263 is used to decode the data packets for flowsets 263. So you get these issues when data from asa2 is decoded with the template of asa1.
Workaround 1: only send netflow from similar asa's to 1 logstash Workaround 2: patch logstash-input-udp to send metadata to the netflow codec, see the patch in https://github.com/logstash-plugins/logstash-codec-netflow/issues/76#issuecomment-320677411
jkavenaugh
robcowart
Netflow
udp { id => "input_udp_netflow" host => "${ELASTIFLOW_NETFLOW_HOST:0.0.0.0}" port => "${ELASTIFLOW_NETFLOW_PORT:2055}" codec => netflow { versions => [5,9] } receive_buffer_bytes => 16777216 workers => 16 type => "netflow" } **
I am having an issue with the flow record fields getting out of sync with the flow. In the example below (Flow Seq 109030795), this was Flow 3 in the packet. The flows before that was fine. All other flows in the sequence after 3 are shifted.
tcpdump: Flow Id: 1478275519 SrcAddr: 10.141.1.109 DstAddr: 140.100.10.16
Kibana Output: "conn_id": 2355366416 "dst_hostname": "141.1.109.140" "src_addr": "0.161.0.5"
As you can see the address 10.141.1.109 got shifted. This is happening quite a bit.
The source is an ASA 5515 9.8(2)