Hello, the Logstash codec logstash-codec-netflow says it can't decode a flowset because no template has been received. When looking in the packet capture, a template has been sent.
[2024-02-02T13:10:19,136][WARN ][logstash.codecs.netflow ][main][bb95707be2d808262891c02debd1c7486b2a28cbba83f5acb495ce1bac18e7eb] Can't (yet) decode flowset id 257 from observation domain id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2024-02-02T13:10:19,136][WARN ][logstash.codecs.netflow ][main][bb95707be2d808262891c02debd1c7486b2a28cbba83f5acb495ce1bac18e7eb] Can't (yet) decode flowset id 256 from observation domain id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2024-02-02T13:10:19,140][WARN ][logstash.codecs.netflow ][main][bb95707be2d808262891c02debd1c7486b2a28cbba83f5acb495ce1bac18e7eb] Can't (yet) decode flowset id 258 from observation domain id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
Logstash version: 8.11.4
Configuration
input {
udp {
port => 2055
codec => netflow {
cache_save_path => "/tmp"
}
}
}
output {
stdout{}
}
In the template cache there is in fact no template with those numbers
# cat /tmp/ipfix_templates.cache | jq '. |= keys'
[
"1|259",
"1|261",
"1|262",
"1|273",
"1|274"
]
But in the PCAP a template is transmitted regularly
Cisco NetFlow/IPFIX
Version: 10
Length: 104
Timestamp: Jan 25, 2024 11:05:29.000000000 W. Europe Standard Time
FlowSequence: 224
Observation Domain Id: 1
Set 1 [id=3] (Options Template): 259,257,256,258
FlowSet Id: Options Template (V10 [IPFIX]) (3)
FlowSet Length: 88
Options Template (Id = 259) (Scope Count = 1; Data Count = 7)
Options Template (Id = 257) (Scope Count = 1; Data Count = 1)
Options Template (Id = 256) (Scope Count = 1; Data Count = 1)
Options Template (Id = 258) (Scope Count = 1; Data Count = 1)
It looks like a bug.
Any idea ?