search

logstash-plugins / logstash-codec-netflow

Apache License 2.0
79 stars 88 forks source link

Unsupported field in template 258 {:type=>44999, :length=>32} [Cisco ASR-1001-X] #184

Closed smaxx1337 closed 4 years ago

smaxx1337 commented 4 years ago

Error message:

[2019-09-02T09:51:06,601][WARN ][logstash.codecs.netflow ] Unsupported field in template 258 {:type=>44999, :length=>32} [2019-09-02T09:51:06,602][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 258 from source id 6, because no template to decode it with has been received. This message will usually go away after 1 minute.

/etc/logstash/elastiflow/conf.d/10_input_netflow_ipv4.logstash.conf

input {
  # Netflow
  udp {
    id => "input_udp_netflow_ipv4"
    host => "${ELASTIFLOW_NETFLOW_IPV4_HOST:0.0.0.0}"
    port => "${ELASTIFLOW_NETFLOW_IPV4_PORT:2055}"
    workers => "${ELASTIFLOW_NETFLOW_UDP_WORKERS:4}"
    queue_size => "${ELASTIFLOW_NETFLOW_UDP_QUEUE_SIZE:2048}"
    receive_buffer_bytes => "${ELASTIFLOW_NETFLOW_UDP_RCV_BUFF:33554432}"
    codec => netflow {
      versions => [5,9,10]
      include_flowset_id => "true"
      netflow_definitions => "${ELASTIFLOW_DEFINITION_PATH:/etc/logstash/elastiflow/definitions}/netflow.yml"
      ipfix_definitions => "${ELASTIFLOW_DEFINITION_PATH:/etc/logstash/elastiflow/definitions}/ipfix.yml"
    }
    type => "netflow"
  }
}

Also, it says it will go away in 1 minute but I am running Logstash, Elasticsearch, ElastiFlow and Kibana since a week now.

smaxx1337 commented 4 years ago

Is there any fix for this available? It still says it can't decode the template.