Netflow influxdb - parse error

Sviks · January 18, 2018, 12:19pm

I get this error

[2018-01-18T12:23:11,400][WARN ][logstash.outputs.influxdb] 28.999Z"}
1516278190000': invalid boolean\nunable to parse 'logstash,host=xxx.xxx.xxx.xxx netflow={"ingressVRFID"=\u003e1610612736, "output_snmp"=\u003e40, "protocol"=\u003e1, "in_pkts"=\u003e1, "bgp_ipv4_next_hop"=\u003e"149.6.186.9", "version"=\u003e9, "in_bytes"=\u003e92, "flow_sampler_id"=\u003e8, "ipv4_dst_addr"=\u003e"211.233.10.82", "flowset_id"=\u003e260, "ipv4_src_addr"=\u003e"46.227.113.134", "egressVRFID"=\u003e1610612736, "src_mask"=\u003e32, "tcp_flags"=\u003e0, "first_switched"=\u003e"2018-01-18T12:22:28.999Z", "forwarding_status"=\u003e{"reason"=\u003e0, "status"=\u003e1}, "src_as"=\u003e0, "l4_src_port"=\u003e0, "dst_as"=\u003e3786, "direction"=\u003e1, "l4_dst_port"=\u003e0, "flow_seq_num"=\u003e14305323, "dst_mask"=\u003e18, "src_tos"=\u003e0, "input_snmp"=\u003e59, "last_switched"=\u003e"2018-01-18T12:22:28.999Z"}

1516278190000': invalid boolean\nunable to parse 'logstash,host=xxx.xxx.xxx.xxx netflow={"ingressVRFID"=\u003e1610612736, "output_snmp"=\u003e39, "protocol"=\u003e1, "in_pkts"=\u003e1, "bgp_ipv4_next_hop"=\u003e"80.77.137.150", "version"=\u003e9, "in_bytes"=\u003e64, "flow_sampler_id"=\u003e8, "ipv4_dst_addr"=\u003e"80.77.131.130", "flowset_id"=\u003e260, "ipv4_src_addr"=\u003e"80.67.81.45", "egressVRFID"=\u003e1610612736, "src_mask"=\u003e24, "tcp_flags"=\u003e0, "first_switched"=\u003e"2018-01-18T12:22:28.999Z", "forwarding_status"=\u003e{"reason"=\u003e0, "status"=\u003e1}, "src_as"=\u003e34164, "l4_src_port"=\u003e0, "dst_as"=\u003e0, "direction"=\u003e0, "l4_dst_port"=\u003e2048, "flow_seq_num"=\u003e14305323, "dst_mask"=\u003e25, "src_tos"=\u003e72, "input_snmp"=\u003e40, "last_switched"=\u003e"2018-01-18T12:22:28.999Z"}

config:

input {
udp {
port => 2055
codec => netflow
}
}
output {
influxdb {
host => "xxx.xxx.xxx.xxx"
db => "netflow_logstash"
use_event_fields_for_data_points => true
}
stdout { codec => rubydebug }
}

Sviks · January 19, 2018, 2:47pm

a tcp dump of http packet shows that it contains data after the }

logstash,host=xxx.xxx.xxx.xxx netflow={"egressVRFID"=>1610612736, "ipv4_dst_addr"=>"xxx.xxx.xxx.xxx", "flow_sampler_id"=>10, "input_snmp"=>67, "forwarding_status"=>{"reason"=>0, "status"=>1}, "direction"=>1, "first_switched"=>"2018-01-19T14:41:54.999Z", "last_switched"=>"2018-01-19T14:41:54.999Z", "dst_mask"=>10, "dst_as"=>xxxxxx, "output_snmp"=>23, "in_pkts"=>9, "flow_seq_num"=>20334520, "bgp_ipv4_next_hop"=>"xxx.xxx.xxx.xxx", "src_tos"=>0, "tcp_flags"=>26, "l4_src_port"=>53599, "flowset_id"=>260, "version"=>9, "in_bytes"=>3532, "ipv4_src_addr"=>"xxx.xxx.xxx.xxx", "l4_dst_port"=>443, "src_as"=>xxxxxx, "src_mask"=>32, "protocol"=>6, "ingressVRFID"=>1610612736} 1516372929000

system · February 16, 2018, 2:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.