Netflow - Ignoring Netflow version v10

Hi,

I've successfully used the logstash netflow module with Netflow v5. But now we want to enable ipfix on our flow exporter and now logstash just reports that it is ignoring netflow v10. Is this just because logstash doesn't understand the export, or is there some configuration I can do to allow logstash to accept this netflow data? (This is netflow data coming from juniper routers)

Apr 12 09:32:32 elk00 logstash[1248]: [WARN ] 2018-04-12 09:32:32.543 [<udp.0] netflow - Ignoring Netflow version v10
Apr 12 09:32:32 elk00 logstash[1248]: [WARN ] 2018-04-12 09:32:32.544 [<udp.1] netflow - Ignoring Netflow version v10
Apr 12 09:32:32 elk00 logstash[1248]: [WARN ] 2018-04-12 09:32:32.545 [<udp.0] netflow - Ignoring Netflow version v10
Apr 12 09:32:32 elk00 logstash[1248]: [WARN ] 2018-04-12 09:32:32.546 [<udp.1] netflow - Ignoring Netflow version v10
Apr 12 09:32:32 elk00 logstash[1248]: [WARN ] 2018-04-12 09:32:32.547 [<udp.0] netflow - Ignoring Netflow version v10
Apr 12 09:32:32 elk00 logstash[1248]: [WARN ] 2018-04-12 09:32:32.548 [<udp.1] netflow - Ignoring Netflow version v10
Apr 12 09:32:32 elk00 logstash[1248]: [WARN ] 2018-04-12 09:32:32.549 [<udp.0] netflow - Ignoring Netflow version v10

The Logstash Netflow Module pipeline is only designed to normalize Netflow v5 and v9 flows. It was originally based on v1.0.0 of ElastiFlow, and is quite far behind when it comes to functionality.

ElastiFlow is currently on v2.1.0 and includes support for Netflow v5/v9, IPFIX, and sFlow.

Rob

Robert Cowart (rob@koiossian.com)
www.koiossian.com
True Turnkey SOLUTIONS for the Elastic Stack

If you don't mind another component, you can put nProbe in front of Logstash to receive Netflow export or even decode raw traffic from SPAN port to netflow.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.