Filebeat netflow cant parse netstream from huawei

Elastic Stack Beats
,
1

Hi,

We using filebeat for collect netflow from Mikrotik. Also its work perfect.
Now we need to collect netstream from Huawei AR2240 and it's don't work, flows no seen in kibana.

Then i run filebeat at debug mode i see that:

    |2020-10-09T09:22:21.178+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] FlowSet ID 5000 length 900|
    |---|---|---|---|---|
    |2020-10-09T09:22:21.178+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] No template for ID 5000|
    |2020-10-09T09:22:21.277+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] Packet from:10.17.0.1:40000 src:0 seq:15426997|
    |2020-10-09T09:22:21.277+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] FlowSet ID 5000 length 900|
    |2020-10-09T09:22:21.277+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] No template for ID 5000|
    |2020-10-09T09:22:21.378+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] Packet from:10.17.0.1:40000 src:0 seq:15426998|
    |2020-10-09T09:22:21.378+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] FlowSet ID 5000 length 900|
    |2020-10-09T09:22:21.378+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] No template for ID 5000|
    |2020-10-09T09:22:21.378+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] Packet from:10.17.0.1:40000 src:0 seq:15426999|
    |2020-10-09T09:22:21.378+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] FlowSet ID 5000 length 900|
    |2020-10-09T09:22:21.378+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] No template for ID 5000|
    |2020-10-09T09:22:21.425+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] Packet from:10.17.0.1:40000 src:0 seq:15427000|
    |2020-10-09T09:22:21.425+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] FlowSet ID 5000 length 360|
    |2020-10-09T09:22:21.425+0300|DEBUG|[netflow]|netflow/input.go:80|[netflow-v9] No template for ID 5000|

My netflow module config:

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow_port: 9996 `

Configuration from Huawei:

ip netstream tcp-flag enable 
ip netstream export source 10.17.0.1 
ip netstream export host 10.18.0.1 9996
ip netstream export version 9
ip netstream record NETSTREAM_TEST
 match ipv4 source-address
 match ipv4 destination-address
 match ipv4 source-port
 match ipv4 destination-port
 match ipv4 protocol
 collect counter packets
 collect counter bytes
 collect interface input
 collect interface output
Tunnel0/0/10
 port ip netstream record NETSTREAM_TEST
 ip netstream inbound
 ip netstream outbound
1 Like
2

Could you please post more details regarding the filebeat version you're using?

It seems that the 3-rd party FlowSet template is not available, but I'm not sure what's the root cause (Huawei device doesn't export it?).

3

My filebeat version:

filebeat version 7.9.2 (amd64), libbeat 7.9.2 [2ab907f5ccecf9fd82fe37105082e89fd871f684 built 2020-09-22 23:19:45 +0000 UTC]

About export flowset template, i dont know. All configuration of Huawei in first post.

4

After adding the missing id to netflow_definitions, the following error appears in the logs:

2020-10-15T19:56:51.466+0300 ERROR instance/beat.go:951 Exiting: Failed to start crawler: creating module reloader failed: field ID 107 has unknown type uint576
failed to load NetFlow fields

5

After removing these fields from the template on the device, it still gives an error from the first post:

netflow/input.go:80|[netflow-v9] FlowSet ID 5000 length 360|
netflow/input.go:80|[netflow-v9] No template for ID 5000|
6

Huawei device export template every 1 minute.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.