Closed spirrello closed 8 years ago
jordansissel
commented
8 years ago @spirrello I'm not sure I have enough information. Can you elaborate on what you mean by 'if_name field not matching' ? What isn't matching? Can you show an example of an event with if_name and show me what you expected it to be?
spirrello
commented
8 years ago For instance, i'm not seeing any results within Kibana with that field. I can't give you an example of an event with that field because we're not seeing anything show up for it. However, we are exporting that field from our router.
[image: Inline image 1]
On Mon, Dec 28, 2015 at 3:12 PM, Jordan Sissel notifications@github.com wrote:
@spirrello https://github.com/spirrello I'm not sure I have enough information. Can you elaborate on what you mean by 'if_name field not matching' ? What isn't matching? Can you show an example of an event with if_name and show me what you expected it to be?
— Reply to this email directly or view it on GitHub https://github.com/logstash-plugins/logstash-codec-netflow/issues/31#issuecomment-167644559 .
jorritfolmer
commented
8 years ago @spirrello Can you do post a .pcap file of the Netflow traffic going into your logstash instance so we can look at it? 10 minutes should be enough if there is some traffic on the routers.
tcpdump -i eth0 -s 0 -w /tmp/cisco_isr_netflow_v9.pcap 'udp and (port 9995 or port 2055)'
spirrello
commented
8 years ago Thanks for the follow up. As it turns out, we're using Cisco's Flexible Netflow exporting v9 and it actually doesn't provide this information. You can close this issue and again, thanks for responding so quickly.
jorritfolmer
commented
8 years ago There does seem to be a collect interface statement for Flexible Netflow, based on Cisco IOS command reference. Not sure if it exposed in your ISR's through.
Hi,
The if_name field appears to not match when we export netfow v9 from our ISR routers. Has anyone else reported this problem yet? Below is my template.
'{ "template" : "logstash_netflow9-*", "settings": { "index.refresh_interval": "5s" }, "mappings" : { "default" : { "_all" : {"enabled" : false}, "properties" : { "@version": { "index": "analyzed", "type": "integer" }, "@timestamp": { "index": "analyzed", "type": "date" }, "netflow": { "dynamic": true, "type": "object", "properties": { "version": { "index": "analyzed", "type": "integer" }, "flow_seq_num": { "index": "not_analyzed", "type": "long" }, "engine_type": { "index": "not_analyzed", "type": "integer" }, "engine_id": { "index": "not_analyzed", "type": "integer" }, "sampling_algorithm": { "index": "not_analyzed", "type": "integer" }, "sampling_interval": { "index": "not_analyzed", "type": "integer" }, "flow_records": { "index": "not_analyzed", "type": "integer" }, "if_name": { "index": "analyzed", "type": "string" }, "ipv4_src_addr": { "index": "analyzed", "type": "ip" }, "ipv4_dst_addr": { "index": "analyzed", "type": "ip" }, "ipv4_next_hop": { "index": "analyzed", "type": "ip" }, "input_snmp": { "index": "not_analyzed", "type": "long" }, "output_snmp": { "index": "not_analyzed", "type": "long" }, "in_pkts": { "index": "analyzed", "type": "long" }, "out_pkts": { "index": "analyzed", "type": "long" }, "in_bytes": { "index": "analyzed", "type": "long" }, "out_bytes": { "index": "analyzed", "type": "long" }, "first_switched": { "index": "not_analyzed", "type": "date" }, "last_switched": { "index": "not_analyzed", "type": "date" }, "l4_src_port": { "index": "analyzed", "type": "long" }, "l4_dst_port": { "index": "analyzed", "type": "long" }, "tcp_flags": { "index": "analyzed", "type": "integer" }, "protocol": { "index": "analyzed", "type": "integer" }, "src_tos": { "index": "analyzed", "type": "integer" }, "src_as": { "index": "analyzed", "type": "integer" }, "dst_as": { "index": "analyzed", "type": "integer" }, "src_mask": { "index": "analyzed", "type": "integer" }, "dst_mask": { "index": "analyzed", "type": "integer" } } } } } } }'