I already opened an issue at elastiflow, but I think it's a problem of the codec itself.
We recently changed our Cisco ASA from 5510 to 5516 with version 9.8(4)20 and have had problems decoding the Netflow since then.
Logstash displays the following messages:
Can't (yet) decode flowset id 256 from source id 0
Can't (yet) decode flowset id 260 from source id 0
Can't (yet) decode flowset id 261 from source id 0
Can't (yet) decode flowset id 263 from source id 0
Hey,
I already opened an issue at elastiflow, but I think it's a problem of the codec itself.
We recently changed our Cisco ASA from 5510 to 5516 with version 9.8(4)20 and have had problems decoding the Netflow since then. Logstash displays the following messages:
The ASA sends every minute the template:
We running the following version of ELK:
Environment for elastiflow:
I have checked with tcpdump that the templates are really sent and they are coming every minute.
What information exactly is required from the PCAP? I cannot publish any information here because of data protection.
Maybe you can already do something with the following?