Netflow codec application_id field incorrect translation


I've noticed that in case of Fortigate devices the application_id field is translated incorrectly.

By default logstash outputs 20:53068615909376 as the application_id. However it should look something like 15921.

The reply I got from our Fortinet reseller is this:

Is there any way to have Logstash process this field correctly?

I assume that your issue is with the Logstash Netflow Module. That module was based on the v1.0.0 release of the ElastiFlow solution. ElastiFlow is currently on v1.2.0 and includes a number of enhancements and fixes that aren't in the Logstash Netflow Module, including the fix for application_id. So the easiest solution to your problem is just to use ElastiFlow.

NOTE: While not directly related to your problem, I recommend keeping the Logstash Netflow Codec up to date, even if you are not updating Logstash itself. This is achieved with the following command...

LOGSTASH_HOME/bin/logstash-plugins update logstash-codec-logstash

Hi Robert,

I found out about ElastiFlow while googling for this issue. Unfortunately I'm not only collecting netflow data so I need to stick with Logstash.

I'm using the netflow codec 3.9.0 however data output is still 20:xxxxx for the application_id field.

I've tried changing the type from string to keyword (seems to be the issue?) in /usr/share/logstash/modules/netflow/configuration/elasticsearch/netflow.json but in stdout I still get the incorrect data.

    "order": 0,
    "template": "netflow-*",
    "mappings": {
        "_default_": {
            "_meta": {
                "version": "6.0.0"
            "dynamic_templates": [
                    "application_id": {
                        "path_match": "netflow.application_id",
                        "mapping": {
                            "type": "keyword"

Is it possible to fix this using the netflow codec that ships with logstash?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.