Logstack netflow getting error for Netflowversion 9

rajunair · December 23, 2016, 10:27am

Hi Team ,
During my testing it seems that logstah 5.1.1 is sending WARN message to process Netflow 9 messages
In my setup Netflow 5 version is working fine .
Any body knows root cases for this issue

My error message are given below

[2016-12-23T05:22:30,245][WARN ][logstash.codecs.netflow ] No matching template for flow id 256
[2016-12-23T05:22:30,267][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,268][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,270][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,270][WARN ][logstash.codecs.netflow ] No matching template for flow id 256
[2016-12-23T05:22:30,275][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,276][WARN ][logstash.codecs.netflow ] No matching template for flow id 256
[2016-12-23T05:22:30,305][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,306][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,310][WARN ][logstash.codecs.netflow ] No matching template for flow id 257
[2016-12-23T05:22:30,323][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,329][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0}
[2016-12-23T05:22:30,330][WARN ][logstash.codecs.netflow ] No matching template for flow id 256

My logstack conf file content is

input {
udp{
port => 9995
## metadata => "true"
codec => netflow{

                    versions => [5,9,10]
                   ## target => "ipfix"
            }
            type=> "netflow"
    }

}

The filter part of this file is commented out to indicate that it is

optional.

filter {

}

output {
stdout { codec => rubydebug }
}

Tcp dump is attached with this topic

jsvd · December 23, 2016, 11:15am

this could be a bug in the code of the netflow codec, can you open an issue with this information on https://github.com/logstash-plugins/logstash-codec-netflow? thanks!

rajunair · December 24, 2016, 5:14am

Hi ,
Issue registered

github.com/logstash-plugins/logstash-codec-netflow

logstash not working for Netfloow Version 9 flows

opened 05:13AM - 24 Dec 16 UTC

closed 07:26AM - 04 Sep 17 UTC

rajutech76

Hi Team , During my testing it seems that logstah 5.1.1 is sending WARN message… to process Netflow 9 messages In my setup Netflow 5 version is working fine . Any body knows root cases for this issue My error message are given below [2016-12-23T05:22:30,245][WARN ][logstash.codecs.netflow ] No matching template for flow id 256 [2016-12-23T05:22:30,267][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,268][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,270][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,270][WARN ][logstash.codecs.netflow ] No matching template for flow id 256 [2016-12-23T05:22:30,275][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,276][WARN ][logstash.codecs.netflow ] No matching template for flow id 256 [2016-12-23T05:22:30,305][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,306][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,310][WARN ][logstash.codecs.netflow ] No matching template for flow id 257 [2016-12-23T05:22:30,323][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,329][WARN ][logstash.codecs.netflow ] Unsupported field {:type=>0, :length=>0} [2016-12-23T05:22:30,330][WARN ][logstash.codecs.netflow ] No matching template for flow id 256 For all general issues, please provide the following details for fast resolution: - Version:logstash5.1.1 - Operating System:CentOs7 - Config File (if you have sensitive info, please remove it): input { udp{ port => 9995 ## metadata => "true" codec => netflow{ versions => [5,9,10] } type=> "netflow" } } output { stdout { codec => rubydebug } } - Sample Data: - Steps to Reproduce: Pcap file is attached with this issues

system · January 21, 2017, 5:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Netflow codec: No matching template Logstash	3	1292	April 24, 2017
Netflow issue Elasticsearch	2	356	October 19, 2017
Netflow V9 : message=>"No matching template for flow id 279" Logstash	2	2047	July 6, 2017
Help with Netflow Configuration Logstash	6	2531	April 19, 2017
Netflow v9 is not being processed Logstash	2	938	January 18, 2018

Logstack netflow getting error for Netflowversion 9

The filter part of this file is commented out to indicate that it is

optional.

filter {

}

Related topics