Closed supernomad closed 8 years ago
Hi,
Could you please configure the it like this:
input {
udp {
port => 6343
codec => sflow {
snmp_interface => false
}
type => sflow
}
}
There is fin act by default an snmp call to get some interface resolution in order to resolve the source id index. I think that it is stuck here. I will change this parameter to be set to false by default but please test it like that first to ensure that it is the root cause of your issue. For the warning event this is a "normal" behaviour as no counter or sample flow with enterprise field set to 0 and format field set to 0 are managed. From the sflow specifications I can't see any counter or sample flow with such IDs (http://www.sflow.org/developers/structures.php). For this warning I will need a tcpdump containing just this sflow events with format set to 0 in order to try adding it
Awesome thanks for the information I will test this out and see what happens. I will update with my results.
Any news @Supernomad
So I have installed this plugin into logstash using,
bin/plugin install logstash-codec-plugin
and setup a new input:There are no filters and its output should be directly sent to elasticsearch. However this is not happening, in actuallity we are getting the following error:
{:timestamp=>"2016-05-04T21:12:34.527000+0000", :message=>"Unknown record entreprise 0, format 0", :level=>:warn}
We have confirmed our switches are outputting to the configured port with
tcpdump
andsflowtool
and with these tools have been able to confirm we are outputting sflow v5 metrics.logstash version:
2.2.0
codec version:1.0.0
any help would be greatly appreciated as we have resorted to using the
sflowtool
and a pipe input for logstash which feels wrong.