Hi I have been ingesting netflow v9 data from a cisco router without major problems so thought I'd do the same with the wireless controller but I have come across some issues.
I added another listener on a different port for the wlc
input {
udp {
tags => ["netflow"]
type => "netflow"
port => 5046
codec => netflow {
versions => [9]
}
}
udp {
tags => ["netflow-wlc"]
type => "netflow-wlc"
port => 5048
codec => netflow {
versions => [9]
}
}
output {
if [type] == "netflow" {
elasticsearch { hosts => ["http://localhost:9200"] }
stdout { codec => rubydebug }
#file { path => "/log/netflow.log" }
}
else if [type] == "netflow-wlc" {
#elasticsearch { hosts => ["http://localhost:9200"] }
#stdout { codec => rubydebug }
file { path => "/log/netflow-wlc.log" }
}
else {
file { path=> "/log/unknown.log" codec => json_lines }
}
}
I've been getting the following error. Looks like it doesn't like having two source ids??
With the source id 0 which is the cisco router, it does disappear after a minute and starts ingesting the logs,
source id 1 which i'm guessing is the wlc logs never go away
2017-10-13T15:02:26,378][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 262 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-13T15:02:49,888][WARN ][logstash.codecs.netflow ] Unsupported field in template 258 {:type=>20000, :length=>2}
[2017-10-13T15:02:49,889][WARN ][logstash.codecs.netflow ] Unsupported field in template 262 {:type=>20000, :length=>2}
[2017-10-13T15:02:50,314][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 258 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
I also get these
2017-10-13T15:08:37,392][WARN ][logstash.codecs.netflow ] Template length doesn't fit cleanly into flowset {:template_id=>257, :template_length=>143, :record_length=>1392}
It seems I do end up getting something logged into the file, here's one liner
tail -n 1 netflow-wlc.log
{"netflow":{"flow_seq_num":562,"scope_system":3232269087,"application_name":"crashplan","flowset_id":256,"version":9,"application_id":"13:820"},"@timestamp":"2017-10-13T04:02:49.000Z","syslog_severity_code":5,"syslog_facility":"user-level","@version":"1","host":"192.168.131.31","syslog_facility_code":1,"type":"netflow-wlc","syslog_severity":"notice","tags":["netflow-wlc","_grokparsefailure","_geoip_lookup_failure"]}
Is this a bug, or am I missing some extra config?