Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received

thirty2 · June 19, 2019, 12:25pm

Hi,

my conf file for logstash looks like:

input {
  udp {
    port => 9995
    codec => netflow {
      versions => [5, 9]
    }
    type => netflow
    tags => "port_9995"
  }
}
output {
    if "port_9995" in [tags] {
    elasticsearch {
        hosts => "localhost:9200"
        index => "netflowtest"
    }
  }
}

Via tshark i can see that netflow data are coming to my host. But in logs i can see:

[2019-06-19T14:22:41,063][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2019-06-19T14:22:41,066][WARN ][logstash.codecs.netflow ] Unsupported field in template 256 {:type=>88, :length=>2}
[2019-06-19T14:22:43,059][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.

Plugin is in version logstash-codec-netflow (3.14.1)

I went through a lot of comments to this topic, but nothing helps me.

Thanks

thirty2 · June 25, 2019, 11:13am

Hi, this needs to be fixed on the device level or in the logstash? Thanks

Badger · June 25, 2019, 2:29pm

Does the warning go away after a couple of minutes or does it persist?

thirty2 · June 26, 2019, 6:40am

I let it run for more than 10minutes and still have this warn.

thirty2 · June 26, 2019, 10:34am

Problem solved:

2019-06-19T14:22:41,066][WARN ][logstash.codecs.netflow ] Unsupported field in template 256 {:type=>88, :length=>2}

88 filed was missing in netflow.yaml

system · July 24, 2019, 10:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.