Error message:
[2019-09-02T09:51:06,601][WARN ][logstash.codecs.netflow ] Unsupported field in template 258 {:type=>44999, :length=>32}
[2019-09-02T09:51:06,602][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 258 from source id 6, because no template to decode it with has been received. This message will usually go away after 1 minute.
- Version: Logstash 7.3.0
- Operating System: CentOS7
- Config File (if you have sensitive info, please remove it):
flow config
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: xxx
Source IP address: xxx
Source Interface: TenGigabitEthernet0/0/1
Transport Protocol: UDP
Destination Port: 2055
Source Port: 52597
DSCP: 0x0
TTL: 255
Output Features: Used
Export template data timeout: 60
Options Configuration:
interface-table (timeout 60 seconds) (active)
application-table (timeout 60 seconds) (active)
application-attributes (timeout 300 seconds) (active)
/etc/logstash/elastiflow/conf.d/10_input_netflow_ipv4.logstash.conf
input {
# Netflow
udp {
id => "input_udp_netflow_ipv4"
host => "${ELASTIFLOW_NETFLOW_IPV4_HOST:0.0.0.0}"
port => "${ELASTIFLOW_NETFLOW_IPV4_PORT:2055}"
workers => "${ELASTIFLOW_NETFLOW_UDP_WORKERS:4}"
queue_size => "${ELASTIFLOW_NETFLOW_UDP_QUEUE_SIZE:2048}"
receive_buffer_bytes => "${ELASTIFLOW_NETFLOW_UDP_RCV_BUFF:33554432}"
codec => netflow {
versions => [5,9,10]
include_flowset_id => "true"
netflow_definitions => "${ELASTIFLOW_DEFINITION_PATH:/etc/logstash/elastiflow/definitions}/netflow.yml"
ipfix_definitions => "${ELASTIFLOW_DEFINITION_PATH:/etc/logstash/elastiflow/definitions}/ipfix.yml"
}
type => "netflow"
}
}
- Steps to Reproduce: Export Flow from Cisco ASR-1001-X to Netflow v9 Port
Also, it says it will go away in 1 minute but I am running Logstash, Elasticsearch, ElastiFlow and Kibana since a week now. Is there any fix for this or am I doing something wrong? Please help.