Hi everyone, I send the netflow to elasticsearch through logstash, but I found there are some fields not parsed.
this is my logstash config:
input{
udp{
host => "163.19.1X3.XX"
port => 5556
codec => netflow {
versions => [5,9]
}
}
}
filter{
}
output{
elasticsearch {
hosts => ["163.1X.16X.XX1:9200","16X.19.163.XXX:9200","163.1X.1X3.XX:9200"]
}
stdout{codec=> rubydebug}
}
logsatsh warning:
[2018-02-12T15:40:13,848][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from source id 273, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2018-02-12T15:40:13,848][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from source id 279, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2018-02-12T15:40:13,850][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from source id 273, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2018-02-12T15:40:13,850][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from source id 279, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2018-02-12T15:40:13,852][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from source id 279, because no template to decode it with has been received. This message will usually go away after 1 minute.
this output in ES:
{
"@version" => "1",
"netflow" => {
"l4_dst_port" => 21,
"ipv4_dst_addr" => "69.239.43.79",
"in_bytes" => 152,
"l4_src_port" => 58001,
"input_snmp" => 1256,
"version" => 9,
"output_snmp" => 1278,
"flow_seq_num" => 2499610,
"flowset_id" => 256,
"ipv4_src_addr" => "120.104.245.40",
"in_pkts" => 3,
"protocol" => 6
},
"@timestamp" => 2018-02-12T07:40:18.000Z,
"host" => "163.19.1X3.12"
}
there are some fields lost such as Last switched
the cisco switch is Netflow/IPFIX version:9
thank you in advance!