search

netsampler / goflow2

High performance sFlow/IPFIX/NetFlow Collector
BSD 3-Clause "New" or "Revised" License
471 stars 110 forks source link

Netflow v9 templateId error #309

Closed mateuspedro4 closed 4 months ago

mateuspedro4 commented 6 months ago

Hello.

I'm not able to collect netflow v9 data from a cisco asa firewall.

Having the following error:

INFO[0000] starting GoFlow2                             
INFO[0000] starting collection                           blocking=false count=1 hostname= port=2055 queue_size=1000000 scheme=netflow workers=2
WARN[0005] template error                                blocking=false count=1 error="receiver: message from [::ffff:10.130.214.254]:3068 NetFlowV9 [version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:260] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:260] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:260] Error template not found" hostname= port=2055 queue_size=1000000 scheme=netflow workers=2
WARN[0007] template error                                blocking=false count=1 error="receiver: message from [::ffff:10.130.214.254]:3068 NetFlowV9 [version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:256] Error template not found\n[version:9 type:Decode obsDomainId:0: templateId:263] Error template not found" hostname= port=2055 queue_size=1000000 scheme=netflow workers=2

i tried to add the templateId field on the mapping.yaml but didnt work.

heres the file that im using:

formatter:
  fields: # list of fields to format in JSON
    - type
    - time_received_ns
    - sequence_num
    - sampling_rate
    - flow_direction
    - sampler_address
    - time_flow_start_ns
    - time_flow_end_ns
    - bytes
    - packets
    - src_addr
    - src_net
    - dst_addr
    - dst_net
    - etype
    - proto
    - src_port
    - dst_port
    - in_if
    - out_if
    - src_mac
    - dst_mac
    # additional fields
    - icmp_name # virtual column
    - templateId
  key:
    - sampler_address
  protobuf: # manual protobuf fields addition
    - name: flow_direction
      index: 42
      type: varint
    - name: bi_flow_direction
      index: 41
      type: varint
    - name: ingress_vrf_id
      index: 39
      type: varint
    - name: egress_vrf_id
      index: 40
      type: varint
    - name: templateId
      index: 999
      type: varint
  render:
    time_received_ns: datetimenano
# Decoder mappings
ipfix:
  mapping:
    - field: 61
      destination: flow_direction
    - field: 239
      destination: bi_flow_direction
    - field: 234
      destination: ingress_vrf_id
    - field: 235
      destination: egress_vrf_id
    - field: 256
      destination: templateId
    - field: 263
      destination: templateId
netflowv9:
  mapping:
    - field: 34 # samplingInterval provided within the template
      destination: sampling_rate
      endian: little
    - field: 61
      destination: flow_direction
    - field: 256
      destination: templateId
    - field: 263
      destination: templateId
sflow:
  mapping:
    - layer: "udp"
      offset: 48
      length: 16
      destination: csum
    - layer: "tcp"
      offset: 128
      length: 16
      destination: csum

Command used: ./goflow2 -mapping mapping.yaml -listen=netflow://:2055

lspgn commented 6 months ago

Hello, You need to wait until your device sends a template so GoFlow2 can decode the data samples. This is configurable, refer to the doc.