Logstash netscaler citrix input

perezdev · November 22, 2022, 4:21pm

Hello,

I'm trying to collect logs from Netscaler Citrix using ipfix protocol, but I'm not able to decode properly the message.

This is my input configuration file:

input {
  udp {
    port => 9913
    codec => netflow {
      versions => [10]
    }
  }
}

I received this warning from logstash: Can't (yet) decode flowset id 257 from observation domain id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.

And I'm not able to see the content of the message from Netscaler.

Does anyone know what could be the issue?

perezdev · November 24, 2022, 11:57am

According to documentation of my logstash version (Netflow codec plugin | Logstash Reference [8.4] | Elastic) seems to be able to decode:

But we are not able to decode based on this error:

Can't (yet) decode flowset id 257 from observation domain id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.

rcowart · December 5, 2022, 1:58pm

Logstash lacks support for most of the Netscaler IEs. You should try a trial license of ElastiFlow, which provides support for all vendor-specific IEs.

Topic		Replies	Views
Can not decode Citrix Netscaler IPFIX messages Logstash	8	1563	October 30, 2020
Can't parse netflow by logstash codec Logstash	1	1119	March 12, 2018
Can't yet decode flowset id error when collecting netflow Logstash	1	852	October 18, 2019
Logstash Netflow Codec Issues Logstash	2	550	August 13, 2020
Logstash-codec-netflow: Unsupported field in template 258 {:type=>44999, :length=>32} [Cisco ASR-1001-X] Logstash	2	814	October 9, 2019

Logstash netscaler citrix input

Related topics