Hi there,
when trying to ingest IPFIX, we get the
Can't (yet) decode flowset id 317 from observation domain id 6422528, because no template to decode it with has been received. This message will usually go away after 1 minute.
message.
But it does not go away after a minute, or ten, or ... 
and the logs are not ingested.
Once a minute the following message pops up in the logs
Unsupported enterprise {:enterprise=>42359}
Accordig to the tcpdump we took, every minute a netflow/ipfix template is send with the exact domain/enterprise id.
Could this be solved with the right ipfix_definitions in the logstash pipeline? Or is there a better way?
If ipfix_definitions is the right way, how would I translate the template?
Many thanks,
m.
template exportet via Wireshark
Cisco NetFlow/IPFIX
Version: 10
Observation Domain Id: 6422528
Set 1 [id=2] (Data Template): 317
FlowSet Id: Data Template (V10 [IPFIX]) (2)
FlowSet Length: 96
Template (Id = 317, Count = 18)
Template Id: 317
Field Count: 18
Field (1/18): IP_SRC_ADDR
0... .... .... .... = Pen provided: No
.000 0000 0000 1000 = Type: IP_SRC_ADDR (8)
Length: 4
Field (2/18): IP_DST_ADDR
0... .... .... .... = Pen provided: No
.000 0000 0000 1100 = Type: IP_DST_ADDR (12)
Length: 4
Field (3/18): L4_SRC_PORT
0... .... .... .... = Pen provided: No
.000 0000 0000 0111 = Type: L4_SRC_PORT (7)
Length: 2
Field (4/18): L4_DST_PORT
0... .... .... .... = Pen provided: No
.000 0000 0000 1011 = Type: L4_DST_PORT (11)
Length: 2
Field (5/18): PROTOCOL
0... .... .... .... = Pen provided: No
.000 0000 0000 0100 = Type: PROTOCOL (4)
Length: 1
Field (6/18): DIRECTION
0... .... .... .... = Pen provided: No
.000 0000 0011 1101 = Type: DIRECTION (61)
Length: 1
Field (7/18): lineCardId
0... .... .... .... = Pen provided: No
.000 0000 1000 1101 = Type: lineCardId (141)
Length: 4
Field (8/18): 522 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0000 1010 = Type: 522 [pen: Versa Networks, Inc]
Length: 2
PEN: Versa Networks, Inc (42359)
Field (9/18): 574 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0011 1110 = Type: 574 [pen: Versa Networks, Inc]
Length: 2
PEN: Versa Networks, Inc (42359)
Field (10/18): flowStartMilliseconds
0... .... .... .... = Pen provided: No
.000 0000 1001 1000 = Type: flowStartMilliseconds (152)
Length: 8
Field (11/18): flowEndMilliseconds
0... .... .... .... = Pen provided: No
.000 0000 1001 1001 = Type: flowEndMilliseconds (153)
Length: 8
Field (12/18): INPUT_SNMP
0... .... .... .... = Pen provided: No
.000 0000 0000 1010 = Type: INPUT_SNMP (10)
Length: 4
Field (13/18): OUTPUT_SNMP
0... .... .... .... = Pen provided: No
.000 0000 0000 1110 = Type: OUTPUT_SNMP (14)
Length: 4
Field (14/18): BYTES_TOTAL
0... .... .... .... = Pen provided: No
.000 0000 0101 0101 = Type: BYTES_TOTAL (85)
Length: 8
Field (15/18): PACKETS_TOTAL
0... .... .... .... = Pen provided: No
.000 0000 0101 0110 = Type: PACKETS_TOTAL (86)
Length: 8
Field (16/18): 540 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0001 1100 = Type: 540 [pen: Versa Networks, Inc]
Length: 2
PEN: Versa Networks, Inc (42359)
Field (17/18): 519 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0000 0111 = Type: 519 [pen: Versa Networks, Inc]
Length: 4
PEN: Versa Networks, Inc (42359)
Field (18/18): IP_TOS
0... .... .... .... = Pen provided: No
.000 0000 0000 0101 = Type: IP_TOS (5)
Length: 1