Filebeat netflow huawei

Elastic Stack Beats
1

Hey all,

I've been testing netflow from Huawei AR2200

Keep getting the following No template for ID 5000

2021-06-10T14:30:14.874+1000	DEBUG	[input]	input/input.go:139	Run input
2021-06-10T14:30:23.305+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] Packet from:192.168.99.1:40000 src:0 seq:1
2021-06-10T14:30:23.305+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] FlowSet ID 5000 length 172
2021-06-10T14:30:23.305+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] No template for ID 5000
2021-06-10T14:30:23.873+1000	DEBUG	[netflow]	netflow/input.go:212	Stats total:[ packets=4 dropped=0 flows=0 queue_len=0 ] delta:[ packets/s=1 dropped/s=0 flows/s=0 queue_len/s=+0 ]
2021-06-10T14:30:24.306+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] Packet from:192.168.99.1:40000 src:0 seq:1
2021-06-10T14:30:24.306+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] FlowSet ID 5000 length 172
2021-06-10T14:30:24.306+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] No template for ID 5000
2021-06-10T14:30:24.873+1000	DEBUG	[netflow]	netflow/input.go:212	Stats total:[ packets=5 dropped=0 flows=0 queue_len=0 ] delta:[ packets/s=1 dropped/s=0 flows/s=0 queue_len/s=+0 ]
2021-06-10T14:30:24.874+1000	DEBUG	[input]	input/input.go:139	Run input
2021-06-10T14:30:25.308+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] Packet from:192.168.99.1:40000 src:0 seq:1
2021-06-10T14:30:25.308+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] FlowSet ID 5000 length 172
2021-06-10T14:30:25.308+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] No template for ID 5000
2021-06-10T14:30:25.873+1000	DEBUG	[netflow]	netflow/input.go:212	Stats total:[ packets=6 dropped=0 flows=0 queue_len=0 ] delta:[ packets/s=1 dropped/s=0 flows/s=0 queue_len/s=+0 ]
2021-06-10T14:30:27.310+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] Packet from:192.168.99.1:40000 src:0 seq:1
2021-06-10T14:30:27.310+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] FlowSet ID 5000 length 172
2021-06-10T14:30:27.310+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] No template for ID 5000
2021-06-10T14:30:27.873+1000	DEBUG	[netflow]	netflow/input.go:212	Stats total:[ packets=7 dropped=0 flows=0 queue_len=0 ] delta:[ packets/s=1 dropped/s=0 flows/s=0 queue_len/s=+0 ]
2021-06-10T14:30:34.874+1000	DEBUG	[input]	input/input.go:139	Run input
2021-06-10T14:30:36.323+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] Packet from:192.168.99.1:40000 src:0 seq:1

If I specify ip netstream export version 9 I start getting data in however this particular field is not working

"direction": "unknown"

2021-06-10T14:35:34.880+1000	DEBUG	[input]	input/input.go:139	Run input
2021-06-10T14:35:36.744+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] Packet from:192.168.99.1:40000 src:0 seq:1
2021-06-10T14:35:36.744+1000	DEBUG	[netflow]	netflow/input.go:81	[netflow-v9] FlowSet ID 5000 length 172
2021-06-10T14:35:36.745+1000	DEBUG	[processors]	processing/processors.go:203	Publish event: {
  "@timestamp": "2021-06-10T12:19:01.000Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.13.1",
    "pipeline": "filebeat-7.13.1-netflow-log-pipeline"
  },
  "input": {
    "type": "netflow"
  },
  "agent": {
    "ephemeral_id": "db92d57a-30c9-4134-853e-076cef4f7031",
    "id": "a2f84bbe-5660-47ae-bd6b-08444b3fe4f2",
    "name": "spelk",
    "type": "filebeat",
    "version": "7.13.1",
    "hostname": "spelk"
  },
  "netflow": {
    "flow_end_sys_up_time": 3680830,
    "destination_transport_port": 8443,
    "exporter": {
      "timestamp": "2021-06-10T12:19:01.000Z",
      "uptime_millis": 3711351,
      "address": "192.168.99.1:40000",
      "source_id": 0,
      "version": 9
    },
    "packet_delta_count": 1,
    "egress_interface": 25,
    "ingress_interface": 17,
    "destination_ipv4_address": "10.138.86.2",
    "flow_start_sys_up_time": 3680830,
    "type": "netflow_flow",
    "octet_delta_count": 40,
    "digest_hash_value": 0
  },
  "tags": [
    "forwarded"
  ],
  "service": {
    "type": "netflow"
  },
  "source": {
    "bytes": 40,
    "packets": 1
  },
  "ecs": {
    "version": "1.9.0"
  },
  "network": {
    "packets": 1,
    "direction": "unknown",
    "community_id": "1:Ks0GMShQ4NDXDjsBKAcveDyt+g4=",
    "bytes": 40
  },
  "related": {
    "ip": [
      "10.138.86.2"
    ]
  },
  "event": {
    "duration": 0,
    "action": "netflow_flow",
    "type": [
      "connection"
    ],
    "start": "2021-06-10T12:18:30.479Z",
    "module": "netflow",
    "dataset": "netflow.log",
    "end": "2021-06-10T12:18:30.479Z",
    "created": "2021-06-10T04:35:36.745Z",
    "kind": "event",
    "category": [
      "network_traffic",
      "network"
    ]
  },
  "observer": {
    "ip": "192.168.99.1"
  },
  "flow": {
    "id": "BCoMVPkpB34",
    "locality": "internal"
  },
  "destination": {
    "ip": "10.138.86.2",
    "locality": "internal",
    "port": 8443
  },
  "fileset": {
    "name": "log"
  }
}

Huawei config

ip netstream record logstash
match ipv4 destination-address
match ipv4 destination-port
collect interface input
collect interface output
collect counter bytes
collect counter packets
quit


* Configure NetStream flexible flow statistics exporting
ip netstream export source 192.168.99.1
ip netstream export version 9
ip netstream export host 192.168.101.125 2055


* Enable flexible flow statistics collection on the interface.
interface tunnel0/0/0
port ip netstream record logstash
     Info: Interface got a record config succeed.
ip netstream inbound
ip netstream outbound

Thanks for your help

1 Like
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.