I'm receiving the following issues from the Netflow codec in logstash:
[2017-03-27T09:40:00,696][WARN ][logstash.codecs.netflow ] No matching template for flow id 256
[2017-03-27T09:40:00,707][WARN ][logstash.codecs.netflow ] No matching template for flow id 257
Any idea of what is going wrong? From the same issue, if I google it, the logs show some kind of error that brings out what's going wrong. But on logstash-stdout, there is nothing to guide myself to the error.
Netflow v9 supports a device sending a variety of different fields in the flow record (unlike Netflow v5 which was a static record). In order for the flow collector (in this case logstash) to know which data is in the record it requires a "template" which provides this information. The device will periodically send "template" messages, so usually these errors go away within 5 to 10 minutes of starting logstash. As long as they do, you have nothing to worry about. It is part of the normal operation of Netflow v9. If the errors do not go away, make sure that you are using the latest Netflow codec. There were a lot of enhancements around Logstash 5.1.1 and I have found it works really well.
@rcowart Thanks for the response. I have Logstash on the most recent version and just upgraded the Netflow codec to 3.4.0, which is the latest. The message keeps going, but I have only just enabled it for less than 3 minutes, just to check the feed flowing. So, I will check your recommendation, and tell the results. Again, thanks!
UPDATE: Effectively, the warning message disappeared. I'm getting Ignoring Netflow v0 (Non-netflow data. No problems) and the real error message from the templates. But this is something to ask for the developers on how to fix it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.