Netflow from Watchguard

Vladx · October 17, 2019, 5:44pm

Hi,

I'm trying to use logstash as netflow collector to forward netflow to Qradar. It is pretty straightforward and I think my config is ok

#this is for netflow
udp {
port => 2081
type => netflow
codec => netflow {
versions => [9]
}
receive_buffer_bytes => 16777216
workers => 16
queue_size => 32000
}
}

The flow source is Watchguard firewall and it is sending v9 netflow

As soon as Logstash receives the first flow, I'm getting bunch of error messages like this

Oct 17 19:31:44 siem-proxy logstash[38697]: [2019-10-17T19:31:44,064][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 260 from source id 0, because no template to decode it with has be

Then, Logstash crashes like this

Oct 17 19:33:09 siem-proxy logstash[38697]: warning: thread "[main]>worker1" terminated with exception (report_on_exception is true):
Oct 17 19:33:09 siem-proxy logstash[38697]: java.lang.StackOverflowError
Oct 17 19:33:09 siem-proxy logstash[38697]: at java.lang.ClassLoader.findLoadedClass(ClassLoader.java:1038)
Oct 17 19:33:09 siem-proxy logstash[38697]: at java.lang.ClassLoader.loadClass(ClassLoader.java:406)
Oct 17 19:33:09 siem-proxy logstash[38697]: at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
Oct 17 19:33:09 siem-proxy logstash[38697]: at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
Oct 17 19:33:09 siem-proxy logstash[38697]: at usr.share.logstash.logstash_minus_core.lib.logstash.codecs.base.RUBY$method$multi_encode$0(/usr/share/logstash/logstash-core/lib/logstash/codecs/
Oct 17 19:33:09 siem-proxy logstash[38697]: at usr.share.logstash.logstash_minus_core.lib.logstash.codecs.base.RUBY$method$encode$0(/usr/share/logstash/logstash-core/lib/logstash/codecs/base.r
Oct 17 19:33:09 siem-proxy logstash[38697]: at usr.share.logstash.logstash_minus_core.lib.logstash.codecs.base.RUBY$block$multi_encode$2(/usr/share/logstash/logstash-core/lib/logstash/codecs/b
Oct 17 19:33:09 siem-proxy logstash[38697]: at org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:146)
Oct 17 19:33:09 siem-proxy logstash[38697]: at org.jruby.runtime.BlockBody.yield(BlockBody.java:114)
Oct 17 19:33:09 siem-proxy logstash[38697]: at org.jruby.runtime.Block.yield(Block.java:165)
Oct 17 19:33:09 siem-proxy logstash[38697]: at org.jruby.RubyArray.each(RubyArray.java:1792)

Any idea what's wrong here? Is there anyone here already collecting v9 netflow from Watchguard

Thank you
Laszlo

system · November 14, 2019, 5:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to parse Fortinet Netflow with logstash module Logstash	4	1187	April 6, 2018
Can't (yet) decode flowset id 256 from source id 0, because no template to decode it with has been received Logstash	5	4253	July 24, 2019
5.6.1 Netflow not working Logstash	1	1038	October 25, 2017
Can't parse netflow by logstash codec Logstash	1	1090	March 12, 2018
Help with Netflow Configuration Logstash	6	2542	April 19, 2017

Netflow from Watchguard

Related topics