Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute on logstash 7.17 and elasticsearch 7.17

Elastic Stack Logstash
1

Hi,

my config file for logstash looks like this:

input {
  snmp {
    hosts => [{host => "udp:192.168.56.3/161" version => "3"}]
    get => ["1.3.6.1.2.1.25.3.3.1.2.1", "1.3.6.1.2.1.25.2.3.1.5.65536", "1.3.6.1.2.1.25.2.3.1.6.65536", "1.3.6.1.2.1.1.3.0", "1.3.6.1.2.1.31.1.1.1.7.1", "1.3.6.1.2.1.31.1.1.1.11.1", "1.3.6.1.2.1.1.1.0"]
    security_name => "snmp-v3"
    auth_protocol => "md5"
    auth_pass => "6#xE#n^@&67b$@*Q"
    priv_protocol => "des"
    priv_pass => "##Su47@^*G8!S^t!"
    security_level => "authPriv"
    type => "snmp"
  }

  udp {
    port => 9995
    codec => netflow {versions => [5, 9]}
    type => "netflow"
  }
}

filter {
    mutate {
        convert => {"[netflow][ipv4_src_addr]" => "string"
        }
    }
    geoip {
        source => "[netflow][ipv4_src_addr]"
        }
}

output{
  if [type] == "snmp" {
     elasticsearch {
       hosts => ["192.168.56.102:9200"]
       index => "snmp-metrics"
       user => "christian"
       password => "Hanginium2412#Dilemma"
     }
  }

  if [type] == "netflow" {
     elasticsearch {
       hosts => ["192.168.56.102:9200"]
       index => "logstash-netflow-analytics-%{+YYYY.MM.dd}"
     }
  }
}

I am trying to get snmp oid values and Netflow data from the mikrotik router to my server, but in the logs I'm seeing these issues which keeps repeating for longer moments:

[2023-06-06T15:51:16,847][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2023-06-06T15:51:16,911][INFO ][logstash.inputs.udp      ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] UDP listener started {:address=>"0.0.0.0:9995", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2023-06-06T15:51:17,201][INFO ][org.logstash.beats.Server][main][19705565b25928a694ac78dbcdd737ef8de9316922e464fa500ecdc386254465] Starting server on port: 5044
[2023-06-06T15:51:35,831][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:51:47,068][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:51:51,986][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:51:54,983][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:52:01,986][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:52:09,977][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:52:16,948][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:52:31,939][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:52:33,968][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
...
[2023-06-06T15:54:01,942][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:54:09,944][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:54:18,017][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:54:29,373][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:54:32,872][WARN ][logstash.codecs.netflow  ][main][fd39fe2546533fd8031e886bd0154d70cc3877b49c322ae67bfeacb5f24228c4] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2023-06-06T15:54:48,979][ERROR][logstash.inputs.snmp     ][main][cf1dc62a82d56d4bd2da4d5be4822a32664fc8881c5dffb6ca15bb041208f0cf] error invoking get operation, ignoring {:host=>"192.168.56.3", :oids=>["1.3.6.1.2.1.25.3.3.1.2.1", "1.3.6.1.2.1.25.2.3.1.5.65536", "1.3.6.1.2.1.25.2.3.1.6.65536", "1.3.6.1.2.1.1.3.0", "1.3.6.1.2.1.31.1.1.1.7.1", "1.3.6.1.2.1.31.1.1.1.11.1", "1.3.6.1.2.1.1.1.0"], :exception=>#<LogStash::SnmpClientError: timeout sending snmp get request to target 192.168.56.3/161>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-snmp-1.3.1/lib/logstash/inputs/snmp/base_client.rb:39:in `get'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-snmp-1.3.1/lib/logstash/inputs/snmp.rb:210:in `block in poll_clients'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-snmp-1.3.1/lib/logstash/inputs/snmp.rb:202:in `poll_clients'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-snmp-1.3.1/lib/logstash/inputs/snmp.rb:197:in `block in run'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-snmp-1.3.1/lib/logstash/inputs/snmp.rb:380:in `every'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-snmp-1.3.1/lib/logstash/inputs/snmp.rb:196:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:410:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:401:in `block in start_input'"]}

The plugin used is Netflow codec plugin v4.2.2 for logstash 7.17 and elasticsearch 7.17.
I went through a lot of comments but I couldn't find any solution.

Could anyone help me resolve this ? It will be much appreciated.

Thanks !

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.