jorritfolmer
commented
7 years ago Which version Logstash and logstash-codec-netflow are you using? Are there any error or warning messages in the logs?
It sounds like the issue fixed in #6.
But also like the issue in #21. It is hard to tell without actual pcaps. You could try to see if the patches in the comments there fix it for you.
We get some netflow from different devices, that sometimes have different lengths for the same types. However in line 490 in logstash-codec-netflow/lib/logstash/codecs/netflow.rb: field[0] = uint_field(length, field[0]) if field[0].is_a?(Integer)
This overrides the length with the length from the actual netflow template provided by the device but only if the length in the netflow.yaml (defaults) is an integer. Because sometimes a netflow type has a different length across devices (IOS vs IOS XR) the default in netflow.yaml is not to be used. I observed the correct length provided by the router and passed to the netflow_field_for function, but not picked up because the same type is in the netflow.yaml and the corresponding length is not an integer but a symbol.
For example in netflow.yaml: 3:
Whenever a router sends a template with a different length for type 3 and type 4 fields, the new length for the type 3 field will be picked up, but the new length for the type 4 field will stick with the :uint8 ignoring the provided template.
My problem was solved by changing all :uint notations to integers in the netflow.yaml (which may not be the 'right' solution).