Netflow from Nokia router flowset id 258


#1

I have set up a Nokia router to send Netflow to Logstash. The Netflow I receive has id 258.
From a pcap I can see that relevant information is sent and received by the Logstash server. (See attachment).

According to Nokia they are supporting Cisco's format, but I get this in the Logstash log:
[2017-04-25T08:44:25,952][WARN ][logstash.codecs.netflow ] Template length doesn't fit cleanly into flowset {:template_id=>258, :template_length=>146, :record_length=>1365}
[2017-04-25T08:44:36,112][WARN ][logstash.codecs.netflow ] Unsupported field in template 258 {:type=>99, :length=>4}
[2017-04-25T08:44:36,156][WARN ][logstash.codecs.netflow ] Template length doesn't fit cleanly into flowset {:template_id=>258, :template_length=>146, :record_length=>1183}
[2017-04-25T08:44:48,049][WARN ][logstash.codecs.netflow ] Template length doesn't fit cleanly into flowset {:template_id=>258, :template_length=>146, :record_length=>1365}
[2017-04-25T08:45:13,046][WARN ][logstash.codecs.netflow ] Template length doesn't fit cleanly into flowset {:template_id=>258, :template_length=>146, :record_length=>1365}

From my understanding I could ammend the situation by making my own netflow.yaml file?
Can I use the output from the PCAP to make a yaml file that fits the data received?
How would the syntax for that look?
From the netflow.yaml included with Logstash it seems that the definition is
id
type
description

The Flowset id in my case is 258, but there is a lot of "sub fields" and even several "Flows".

UPDATE: I notices in the pcap that the router sends its template for FlowID 258:

Any intput/help will be greatly apreciated!


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.