Hi,
Logstash version 5.6
The data-templates send from netscaler are not all recognized by netflow plugin. Some data templates are used, some not.
Templates IDs:
0|264:
0|265:
0|266:
0|267:
0|269:
0|270:
0|272:
0|278:
0|273:
0|279:
0|274:
0|281:
0|275:
0|276:
0|283:
0|277:
0|284:
0|285:
0|286:
0|288:
0|289:
0|290:
0|291:
0|299:
are used by logstash and are written to ipfix_template.cache .
The Wirecard trace shows templates ids >264 but the templates are not written to template cache and logstash logs for this packets
' Can't (yet) decode flowset id 258 from observation domain id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.'
Hope anyone can help.
Thanks in advance!
Edit:
Logstash logs also:
[2017-09-29T13:02:50,574][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>358, :enterprise=>5951, :length=>4}
[2017-09-29T13:02:50,577][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>491, :enterprise=>5951, :length=>4}
[2017-09-29T13:02:50,590][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>464, :enterprise=>5951, :length=>4}
[2017-09-29T13:02:50,590][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>451, :enterprise=>5951, :length=>8}
[2017-09-29T13:02:50,591][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>434, :enterprise=>5951, :length=>1}
[2017-09-29T13:02:50,591][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>403, :enterprise=>5951, :length=>1}
[2017-09-29T13:02:50,591][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>487, :enterprise=>5951, :length=>4}
[2017-09-29T13:02:50,591][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>509, :enterprise=>5951, :length=>4}
[2017-09-29T13:02:50,591][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>512, :enterprise=>5951, :length=>1}
[2017-09-29T13:02:50,591][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>492, :enterprise=>5951, :length=>4}
[2017-09-29T13:02:50,592][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>536, :enterprise=>5951, :length=>4}
[2017-09-29T13:02:50,593][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>392, :enterprise=>5951, :length=>2}
[2017-09-29T13:02:50,593][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>392, :enterprise=>5951, :length=>2}
[2017-09-29T13:02:50,593][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>392, :enterprise=>5951, :length=>2}
[2017-09-29T13:02:50,593][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>392, :enterprise=>5951, :length=>2}
[2017-09-29T13:02:50,593][WARN ][logstash.codecs.netflow ] Unsupported enterprise field {:type=>392, :enterprise=>5951, :length=>2}