Logstash netflow cisco router and wlc

Elastic Stack Logstash
1

Hi I have been ingesting netflow v9 data from a cisco router without major problems so thought I'd do the same with the wireless controller but I have come across some issues.
I added another listener on a different port for the wlc

 input {
    udp {
tags => ["netflow"]
type => "netflow"
port => 5046
    codec => netflow {
		 versions => [9]
	         }
        }

udp {
    tags => ["netflow-wlc"]
    type => "netflow-wlc"
    port => 5048
    codec => netflow {
                     versions => [9]
                     }
        }

 output {
     if [type] == "netflow" {
 	    elasticsearch { hosts => ["http://localhost:9200"] }
         stdout { codec => rubydebug }	
         #file { path => "/log/netflow.log" }
	    }

else if [type] == "netflow-wlc" {
    #elasticsearch { hosts => ["http://localhost:9200"] }
    #stdout { codec => rubydebug }
    file { path => "/log/netflow-wlc.log" }
    }

else {
    file { path=> "/log/unknown.log" codec => json_lines }
    }

}

I've been getting the following error. Looks like it doesn't like having two source ids??
With the source id 0 which is the cisco router, it does disappear after a minute and starts ingesting the logs,
source id 1 which i'm guessing is the wlc logs never go away

2017-10-13T15:02:26,378][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 262 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-13T15:02:49,888][WARN ][logstash.codecs.netflow ] Unsupported field in template 258 {:type=>20000, :length=>2}
[2017-10-13T15:02:49,889][WARN ][logstash.codecs.netflow ] Unsupported field in template 262 {:type=>20000, :length=>2}
[2017-10-13T15:02:50,314][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 258 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.

I also get these
2017-10-13T15:08:37,392][WARN ][logstash.codecs.netflow ] Template length doesn't fit cleanly into flowset {:template_id=>257, :template_length=>143, :record_length=>1392}

It seems I do end up getting something logged into the file, here's one liner
tail -n 1 netflow-wlc.log
{"netflow":{"flow_seq_num":562,"scope_system":3232269087,"application_name":"crashplan","flowset_id":256,"version":9,"application_id":"13:820"},"@timestamp":"2017-10-13T04:02:49.000Z","syslog_severity_code":5,"syslog_facility":"user-level","@version":"1","host":"192.168.131.31","syslog_facility_code":1,"type":"netflow-wlc","syslog_severity":"notice","tags":["netflow-wlc","_grokparsefailure","_geoip_lookup_failure"]}

Is this a bug, or am I missing some extra config?

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.